Bitdefender has shown off a method through which an attacker can use “a little ingenuity and some open-source tools” to intercept data sent from a smartphone to a smartwatch. The antivirus software-maker says this attack could be used to collect messages sent via Facebook, SMS, or Google Hangouts and allow the hacker to read them as plain text files.
The attack is made possible by the Bluetooth connection required for smartwatches to receive information from a paired smartphone. The connection relies on a six-digit PIN for its security; Bitdefender says it “wouldn’t take long to brute-force [that] number,” which allows a hacker to eavesdrop on the connection and collect information from it.
Bitdefender demonstrated the attack using the latest version of Android and Samsung’s Gear Live smartwatch. “The implications of these recent findings are only moderately surprising,” the company says on its blog. “We know from past experience that adoption of new technologies does not always go hand-in-hand with better security practices.”
This vulnerability’s impact is limited by the requirement that an attacker be “fairly close” to a target to compromise the Bluetooth connection between their devices. But as these products become more popular — something much of the tech industry is banking on — hackers might become more interested in taking advantage of the easily-exploited issue.
There are a few solutions to this problem: require a password that can’t be so easily compromised, or add another layer of encryption to the data sent between these devices. Unfortunately for anyone worried about security, neither option is all that compelling — the first would require consumers to fumble with a smartwatch’s frustrating input tools, and the second would have to reduce a device’s battery life to enable the encryption.
Neither option is likely to be implemented until this vulnerability results in more than a proof-of-concept from an antivirus software-maker few consumers even know about. The wearables market is struggling enough as it is; requiring an even more frustrating setup process or shortening battery life would make it even harder for manufacturers.
Security-conscious consumers will have to go with the third option: avoiding wearable products until this problem is addressed. The good news is that they won’t be missing out on much, given the general apathy with which these products have been received.
[Illustration by Brad Jonas for Pando]