We are living in an era of smart devices that we sync with our smartphones and make our lives very simple and easy, but these smart devices that inter-operates with our phones could leave our important and personal data wide open to hackers and cybercriminals.
Security researchers have demonstrated that the data sent between a Smartwatch and an Android smartphone is not too secure and could be a subject to brute force hacks by attackers to intercept and decode users’ data, including everything from text messages to Google Hangout chats and Facebook conversations.
This happens because the bluetooth communication between most Smartwatches and Android devices rely on a six-digit PIN code in order to transfer information between them in a secure manner. Six-digit Pin means approx one million possible keys, which can be easily brute-forced by attackers into exposing entire conversations in plain text.
Researchers from the Romania-based security firm Bitdefender carried out a proof-of-concept hack against a Samsung Gear Live smartwatch and a paired Google Nexus 4 handset running Android L Preview. Only by using sniffing tools available at that moment, the researchers found that the PIN obfuscating the Bluetooth connection between both devices was easily brute forced by them.
(Brute force attack is where a nearby hacker attempts every possible combination until finding the correct one. Once found the right match, they were able to monitor the information transferring between the smartwatch and the smartphone.)
Of course, this means an attacker would have to be fairly near the victim and log all intercepted Bluetooth data packets. The large-scale adoption of such an exploit could be fueled by the increasing number of smartwatches or smartbands. Weaponizing it could only be a matter of time.
For this proof-of-concept, a Nexus 4 Android device equipped with Android L Developer Preview and Samsung Gear Live were used. The implications of these recent findings are only moderately surprising – we know from past experience that adoption of new technologies does not always go hand-in-hand with better security practices.
Part of the mitigation process involves using NFC pairing when sending the pin code or the use of pass-phrases. Of course, there’s always the option of adding a secondary layer of encryption at the application level, but this might shorten battery life due to extra encryption computations.