Pebble, a wristwatch that can connect to your phone - both iOS and Android - and interact with apps, has a hard-coded vulnerability that allows a remote attacker to destroy your Smartwatch completely.
Pebble Smartwatch, developed and released by Pebble Technology Corporation
in 2013, is considered as one of the most popular SmartWatches that had
become the most funded project in the history of Kickstarter. Just two
hours after its crowd-funding campaign launched, Pebble had already
surpassed its $100,000 goal and at last had reached over $10.25 million
pledged by nearly 70,000 Kickstarter backers.
A security enthusiast Hemanth Joseph found that his Pebble
SmartWatch with the latest v2.4.1 Firmware can be remotely exploited by
anyone with no technical knowledge in order to delete all data stored
in the device, apps, notes, and other information stored in it.
HOW PEBBLE SMARTWATCH WORKS
Before proceeding towards how he did this, let me explain how Pebble
works, in an effort to make the attack more clear. When Pebble
Smartwatch is connected to an Android or iOS phone, it will give a
Vibrating alert to every messages from Whatsapp or Facebook or related
apps with the whole message displayed on its screen.
When we talk about messages, there is no character limit established. If
you get a lengthy message, say of 100 word or more, from Whatsapp or
any other messaging app, Pebble will show the whole message in its small
screen — and that’s the hole Joseph exploited.
ATTACK SCENARIO
Joseph tried sending 1500 messages in 5 seconds and noticed that his
Pebble screen became filled with lots of lines and soon after it got
Switched off itself automatically and executed a Factory Reset.
“Due to that automatic Factory Reset I lost all my Apps and other data’s which I was having in my Pebble,” Joseph wrote in his blog post. “The same occurred even when I decreased the no. of messages to 300 in 5 sec.”
Anyone with your Facebook Id or even mobile number can exploit this
denial-of-service (DoS) bug to remotely delete all your data stored in
your Pebble, just with the help of a series of Small Message Bomb.
DoS attack is that where an attacker sends a large number of requests to
the target device in order to overload its capacity of handling maximum
number of request at a time.
IMPACTS OF DoS ATTACK
We have noticed different impacts of DoS attacks on different Pebble wearable devices. In some cases, the device will:
- crashed and reboot
- crashed, reboot and factory reset
- crashed and caused permanent damage to the internal software
Unfortunately, Joseph get his Pebble Smartwatch permanently damaged
after number of experiments, but he gave a solution to this problem that
the company should give a Character limit while showing apps’ messages
on the screen and also recommended Pebble to remove the Automatic
Factory Reset.
PEBBLE RESPONDED
When he approached Pebble regarding the issue, the company replied, “After the freezing of your Pebble you will see a lot of white straight lines all over the screen. We can’t make it back to a working condition by simply Switching it off we MUST do a Factory Reset in order to make it working again . So it is sure that all your data will be Deleted if your pebble gets a DoS!”
HACKER TO LIVE DEMONSTRATE WHATSAPP DoS ATTACK
Two young security enthusiasts will demonstrate a possible large scale DoS attack remotely on Whatsapp Users at ‘The Hackers Conference’ 2014.
As mentioned in the paper abstract,
Ashwin Thawrani and Rajat Agarwal have identified a serious
vulnerability in the most popular messaging application “WhatsApp” that
could allow them to permanently crash users’ application installed on
the Smartphone devices.
The Hackers Conference
will be held in New Delhi, on the August 30th, 2014 in the presence of
Industry leaders, Government representatives and underground Black-hat
hackers.
0 comments:
Post a Comment