Friday 7 October 14:00 - 14:30, Red roomYulong Zhang (Baidu X-Lab)
Lenx Wei (Baidu X-Lab)In 2015, nearly two million Pebble smartwatches were sold, according to IDC [1]. These next-to-skin life/work companions have great implications for privacy and security. Some existing work has already highlighted the security and privacy issues with Pebble watches (e.g. [2]), but none has considered the possibility of a malicious actor fully taking over the watches. To our knowledge, we are the first to describe the root exploits of Pebble watches. We will present several zero-day vulnerabilities that we have discovered.We will start by providing an overview of the Pebble's ecosystem and architecture, including its App Store mechanism and the hardware/software stack. Lots of details uncovered from reverse engineering will be described.After providing enough background, we will move to our concerns about the security of Pebble smartwatches. First, Pebble allows anyone (without authenticating who they are) to develop apps in C that can execute natively on the watches. Pebble does not perform a security review of the submissions; it relies on the on-watch memory isolation and user-report to defend against malicious apps [3]. With this design, attackers can still find a way to stealthily distribute malware.Next, we will present the internals of Pebble's kernel, and discuss a zero-day vulnerability discovered by us that can lead to privilege escalation. Local attackers can exploit this issue to root the watches, and can even persistently take full control of the watches. This vulnerability can also generally affect other wearable or embedded platforms.Lastly, we will point out that the security of smartwatches depends on the security of the pairing phones. By exploiting this trust chain, attackers can launch remote attacks to take over the watches. An Android zero-day bluetooth vulnerability discovered by us will be used as an example. Several other vulnerabilities due to Pebble's design flaws will be also described.We have responsively disclosed all issues to Pebble and other related vendors. The vulnerabilities shown in this paper can generally affect other wearable or embedded platforms. We hope that this talk will kick start a discussion of wearable security, and inspire more and more researchers and vendors to join in the effort of improving wearable security.[1] https://www.idc.com/getdoc.jsp?containerId=prUS40846515[2] https://courses.csail.mit.edu/6.857/2014/files/09-boning-lee-valdez-pebble-smartwatch.pdf[3] https://developer.pebble.com/legal/