Time's Up: Android-Based Smartwatches Hacked

A Samsung Gear Live and a Google Nexus 4 attempt to communicate via Bluetooth. Credit: Bitdefender/YouTube

(Image credit: A Samsung Gear Live and a Google Nexus 4 attempt to communicate via Bluetooth. Credit: Bitdefender/YouTube)

UPDATED 6:15 pm ET Dec. 12: Some of the conclusions of the research cited in this piece may have been based on erroneous assumptions. Please see below.

Smartwatches and other wearable devices can manage tons of personal information, from texts and email messages to health and biometric data. But how safe is that information as it travels to and from the wearable?

Not so safe, says Bucharest, Romania-based antivirus company Bitdefender. Android-based wearables, according to Bitdefender researchers, encrypt their Bluetooth transmissions with a six-digit passcode — in other words, a relatively short key that attackers could easily crack.

MORE:12 Mobile Privacy and Security Apps

Android-based wearables such as the Samsung Gear Live, which Bitdefender tested, communicate with their owners' smartphones via Bluetooth. This is generally considered secure because Bluetooth is short-range only and attackers would have to be in close physical proximity — usually no further than 10 meters, or 33 feet — to their targets.

If the attackers are close by, however, it's a simple matter to "sniff," or detect, Bluetooth traffic. That's where encryption comes in: Android wearables do encrypt traffic between themselves and owners' smartphones. However, the password used to create this encryption, a six-number PIN typed in by the user upon initial "pairing" of the devices, is relatively insecure.

The number of possible six-digit passcodes is only 1 million. That may seem like a lot, but a computer program, even one running on a smartphone, could guess the correct PIN very quickly through "brute force" — simply trying each possible combination until it found the right one. Once the encryption has been cracked, attackers can read everything transmitted by that smartwatch to the paired smartphone.

In its demonstration, Bitdefender researchers used a Samsung Gear Live smartwatch and a Google Nexus 4 smartphone. They paired the two devices, then used relatively simple analytical software to sniff the Bluetooth connection and brute-force the encryption.

"With quite a few wearables out there that rely on Bluetooth pairing to receive the text messages and for various forms of chatting, security issues should be treated with the utmost seriousness," Bitdefender senior research analyst Liviu Arsene said in a proof-of-concept video.

Smartwatches and other wearables are part of what experts call the Internet of Things, a network of Internet-connected appliances that also included "smart" refrigerators, air conditioners and home security systems. These objects predate the Internet, but many new versions offer global connectivity — and the associated security risks. 

"The Internet of Things is truly a marvelous concept, but only as long as we do not overlook security implications," Arsene said. "The security risks could easily be fixed with stronger or better methods for ensuring the safety of the entire communication."

UPDATE Dec. 11: Bluetooth security researcher Mike Ryan contacted us to explain that short numerical PINs are used by Bluetooth devices only to establish identities during initial pairings, and that much stronger forms of encryption are used during subsequent communications. We've asked Bitdefender researcher Liviu Arsene to clarify his methods and findings, and will update this story further when he responds.

UPDATE Dec. 12: Liviu Arsene explained to us that his research was meant only to demonstrate that it would be possible to intercept traffic destined to be broadcast over Bluetooth before the communication actually reached the Bluetooth chip on a smartphone or smartwatch. He cited proof-of-concept research that showed cellular baseband processors could be hacked over the air, and told us that that research showed Bluetooth communications handled by similar processors were vulnerable.

However, both the piece Mr. Arsene wrote for Dark Reading, and an associated blog posting on Bitdefender's own Hot for Security blog, strongly imply, without explicitly stating, that it would be possible to intercept over-the-air Bluetooth communications simply by cracking a six-digit PIN. We regret that our own understanding of what actually happened was itself obfuscated, unwittingly or otherwise.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.