Bitdefender: smartphone to smarthwatch communication is not secure

Security and privacy is not really at the top of the list of features that most consumers want when they select a smartphone or a smartwatch.

It does play a huge role for some users, many ComTeks readers for example, but the masses seem more interested in looks and having the latest and greatest features than anything else.

As far as smartwatches are concerned, many require that you pair them with a smartphone that you carry with you as well for functionality. The watch uses the information that the smartphone provides to display information such as incoming SMS on the screen. It can also be used to control functionality on the smartphone.

Bluetooth pairing is being used for that so that data can be transferred using Bluetooth once the devices have been paired.

Security company Bitdefender demonstrated recently that the safeguards in place to protect communication between the phone and watch are not secure enough.

The company demonstrated these shortcomings using a Nexus 4 device running the Android L Developer Preview and a LG G smartwatch.

The communication between smartwatch and smartphone is encrypted by a six digit pin code which means that it is not enough to simply record and read the data that is being transferred using Bluetooth.

This pin code is displayed  on both devices when they are paired by the user in the first setup process.

Bitdefender used publicly available tools to brute force the pin code and read the information transferred between the devices.

The (roughly) one million combinations of six digit numeric pin are cracked by modern computer systems in a matter of seconds.

The need for proximity is a limiting factor though. Bluetooth supports three different range classes:

1. Class 1: up to 100 meters
2. Class 2: up to 10 meters
3. Class 3: up to 1 meter

Most smartphones use class 2 radios which means that attackers need to get in to the supported range for the attack.

The pairing weakness that Bitdefender seems to have exploited is a security issue in Bluetooth LE and not specific to wearables. A hacker would need to be near enough to record the communication and need a link-key for the pairing as well unless communication is transmitted in plain text.

Closing Words

It is worrying that communication between watch and phone can be easily captured if the attacker manages to get in close proximity of the wearer.

While that may not be a problem for most users high-level executives, government officials and others with access to sensitive information should at least be aware of the possibility.

How big of an issue is it? I'd wait for an official response from Google or third-parties before coming to a conclusion.