Will Smartwatches’ Vulnerability to Hackers Be a Big Setback?

Smartwatches communicate constantly with smartphones, passing information about text messages, meetings, Facebook notifications, and biometric measurements back and forth countless times a day. But researchers have shown that all of those communications may not be as secure as we’d like to believe. A vulnerability that exists due to the way the Android Wear operating system handles Bluetooth communications leaves users’ messages, biometric data, and any other information passed between the smartwatch and a paired Android smartphone susceptible to interception by hackers.

As Ars Technica reported recently, most smartwatches running Android Wear rely on a six-digit PIN to secure the information that travels to and from connected Android smartphones. Because there are only a million possible PINs to secure the Bluetooth connection between the smartphone and smartwatch, these keys are open to brute-force attacks, in which nearby hackers try every possible combination in an attempt to hit on the right one.

Researchers from security firm Bitdefender completed a proof-of-concept hack against a Samsung Gear Live smartwatch paired with a Google Nexus 4 running the developer preview of Android L. Using what Ars Technica characterizes as readily available hacking tools, they brute-forced the PIN, obfuscating the Bluetooth connection between the devices, and were then able to easily monitor the information passing between the phone and the watch. Much of that information is passed back and forth in plaintext.

While Ars Technica notes that the findings aren’t surprising, the revelation of the vulnerability as it relates to smartwatches is another strike against the emerging class of wearables for consumers who may be on the fence about purchasing one. The weakness could expose not only users’ notifications, but also their text messages and the biometric data that their devices collect — not a desirable feature for consumers looking to get on board with smart devices and wearables.

Bitdefender’s post doesn’t address whether the average consumer should be concerned about the findings of its research. As Phys.org notes, the demonstrated vulnerability could pose a risk for politicians or celebrities, or any individual in a situation where hackers think they might have something to gain by intercepting communications. But the practical risk for “the rest of us” is unclear.

As consumers increasingly weigh the possibility of purchasing not only smartwatches, but also devices for the home, security will become an increasingly visible issue. It would be to the advantage of manufacturers to develop a second layer of security — perhaps one that runs on the smartphone itself.

Gartner projected in September that by 2016, smartwatches will comprise about 40% of consumer wristworn devices. Gartner said at the time that nine out of the top 10 smartphone vendors had entered the wearables market or were about to ship a first product, while a year ago only two vendors were in that space. That figure demonstrates the huge interest that the smart devices have sparked among manufacturers who already create smartphones.

Their interest will likely increase as the area piques consumers’ interest. The Apple Watch made a splash when Apple unveiled it this fall, drawing more attention not only to Apple, but to existing and forthcoming wearables. Angela McIntyre, research director at Gartner, predicts that the Apple Watch will trigger more consumer interest when it begins shipping in 2015.

Annette Zimmermann, also a research director at Gartner, referred to the Sony smartwatch products and the Samsung Gear as “early products that received much attention in the press but less enthusiasm from consumers due to their unclear value proposition and flawed design. In 2014, we are seeing a few more positive developments in terms of design and user experience.” The latest smartwatches showcase the features that Android Wear brings to the user, including voice search, turn-by-turn navigation, and contextual reminders, which combine to offer what Gartner terms “basically a Google Now experience on a smaller screen.”

But will users who are enthusiastic about that experience hesitate to purchase an Android Wear smartwatch, now that it’s clear how simple it is for hackers to access the communications between the smartwatch and the paired smartphone? How practical is it for a hacker to actually carry out such an attack?

To carry out an attack, the hacker would need to be close to the victim, cutting down on the practicality of brute-forcing PINs and staying close to monitor communications. From the video posted by Bitdefender, it also seems that the method relies on the hacker being nearby when the two devices are paired, considering that the attack targets the encryption key used during the initial pairing. As the researchers explain, “Because the Android Wear obfuscation relies on a pin code of only six digits during the initial pairing, an attacker wouldn’t take long to brute-force number and start reading your conversations in plain-text.”

The news of Android Wear smartwatches’ vulnerability to hacking comes at an important time, and coincides with an explosion in the number and popularity of smartwatches and other smart devices. The data traveling via Bluetooth connections is increasingly personal and sensitive information, and the research demonstrates that manufacturers should consider creating ways to make communications more secure now, before the devices become ubiquitous. But as Ars Technica notes, many possible fixes would come at a cost to user convenience.

Requiring a stronger password to be entered into the smartwatch before pairing is an obvious fix that would likely be resented by users, who could find it difficult or at least inconvenient to type a longer string on a smartwatch. Bitdefender recommends relying on Near Field Communication (NFC) to transmit a PIN code to the smartwatch during pairing, but because not all devices already include the necessary technology, it would likely raise the price and complexity of devices.

Another possible option, which would also add a layer of complexity, could be to augment Bluetooth encryption with a second layer of encryption, implemented by the app running on both the smartphone and the smartwatch. However, Security Week notes that application-level encryption should be implemented by Google or device manufacturers, and would have a negative impact on battery life — which is already an area of concern for many smartwatches.

Security Week notes that  the Bluetooth Special Interest Group has officially adopted version 4.2 of the Bluetooth core specification, which is said to be faster and more secure than previous versions. Bitdefender says that it hasn’t had a chance to test the latest version, but the firm told Security Week that its experiments haven’t targeted over-the-air Bluetooth communications, which are encrypted by the device’s baseband co-processor. Instead, researchers targeted raw traffic before it was sent to the baseband co-processor.

While the particular vulnerability demonstrated by Bitdefender may not be the most practical hack to carry out, it exposes something more than a weakness that hackers could theoretically exploit. It sheds light on the growing security issue of the less-than-ideal protections in place to secure communications between smart devices. As more consumers consider adopting these devices, whether they’re wrist-worn or in various places around the home, manufacturers will need to step up their security to protect the information that devices pass back and forth.

More from Tech Cheat Sheet: