Friday, August 22, 2014

8:13 AM
Pebble smartwatch hacking

Pebble, a wristwatch that can connect to your phone - both iOS and Android - and interact with apps, has a hard-coded vulnerability that allows a remote attacker to destroy your Smartwatch completely.
Pebble Smartwatch, developed and released by Pebble Technology Corporation in 2013, is considered as one of the most popular SmartWatches that had become the most funded project in the history of Kickstarter. Just two hours after its crowd-funding campaign launched, Pebble had already surpassed its $100,000 goal and at last had reached over $10.25 million pledged by nearly 70,000 Kickstarter backers.
A security enthusiast Hemanth Joseph found that his Pebble SmartWatch with the latest v2.4.1 Firmware can be remotely exploited by anyone with no technical knowledge in order to delete all data stored in the device, apps, notes, and other information stored in it.

HOW PEBBLE SMARTWATCH WORKS
Before proceeding towards how he did this, let me explain how Pebble works, in an effort to make the attack more clear. When Pebble Smartwatch is connected to an Android or iOS phone, it will give a Vibrating alert to every messages from Whatsapp or Facebook or related apps with the whole message displayed on its screen.
When we talk about messages, there is no character limit established. If you get a lengthy message, say of 100 word or more, from Whatsapp or any other messaging app, Pebble will show the whole message in its small screen — and that’s the hole Joseph exploited.

ATTACK SCENARIO
Joseph tried sending 1500 messages in 5 seconds and noticed that his Pebble screen became filled with lots of lines and soon after it got Switched off itself automatically and executed a Factory Reset.
Due to that automatic Factory Reset I lost all my Apps and other data’s which I was having in my Pebble,” Joseph wrote in his blog post. “The same occurred even when I decreased the no. of messages to 300 in 5 sec.
Anyone with your Facebook Id or even mobile number can exploit this denial-of-service (DoS) bug to remotely delete all your data stored in your Pebble, just with the help of a series of Small Message Bomb.
DoS attack is that where an attacker sends a large number of requests to the target device in order to overload its capacity of handling maximum number of request at a time.

IMPACTS OF DoS ATTACK
We have noticed different impacts of DoS attacks on different Pebble wearable devices. In some cases, the device will:
  • crashed and reboot
  • crashed, reboot and factory reset
  • crashed and caused permanent damage to the internal software
Unfortunately, Joseph get his Pebble Smartwatch permanently damaged after number of experiments, but he gave a solution to this problem that the company should give a Character limit while showing apps’ messages on the screen and also recommended Pebble to remove the Automatic Factory Reset.
PEBBLE RESPONDED
When he approached Pebble regarding the issue, the company replied, “After the freezing of your Pebble you will see a lot of white straight lines all over the screen. We can’t make it back to a working condition by simply Switching it off we MUST do a Factory Reset in order to make it working again . So it is sure that all your data will be Deleted if your pebble gets a DoS!
HACKER TO LIVE DEMONSTRATE WHATSAPP DoS ATTACK
Two young security enthusiasts will demonstrate a possible large scale DoS attack remotely on Whatsapp Users at ‘The Hackers Conference’ 2014.
As mentioned in the paper abstract, Ashwin Thawrani and Rajat Agarwal have identified a serious vulnerability in the most popular messaging application “WhatsApp” that could allow them to permanently crash users’ application installed on the Smartphone devices.
The Hackers Conference will be held in New Delhi, on the August 30th, 2014 in the presence of Industry leaders, Government representatives and underground Black-hat hackers.

0 comments:

Post a Comment