Security researchers have demonstrated that the data sent between a Smartwatch and an Android smartphone is not too secure and could be a subject to brute force hacks by attackers to intercept and decode users' data, including everything from text messages to Google Hangout chats and Facebook conversations.
Well this happens because the bluetooth communication between most Smartwatches and Android devices rely on a six-digit PIN code in order to transfer information between them in a secure manner. Six-digit Pin means approx one million possible keys, which can be easily brute-forced by attackers into exposing entire conversations in plain text.
Researchers from the Romania-based security firm Bitdefender carried out a proof-of-concept hack against a Samsung Gear Live smartwatch and a paired Google Nexus 4 handset running Android L Preview. Only by using sniffing tools available at that moment, the researchers found that the PIN obfuscating the Bluetooth connection between both devices was easily brute forced by them.
Brute force attack is where a nearby hacker attempts every possible combination until finding the correct one. Once found the right match, they were able to monitor the information transferring between the smartwatch and the smartphone.
You can watch the Proof-of-Concept video below, ran on a Samsung Gear Live smartwatch and a paired Google Nexus 4 device running Android L Preview.
The researchers explained that their findings were "pretty consistent with [their] expectations" and without a great deal of effort, an encrypted communications between wearable technology and smartphones could be cracked and left open to prying eyes.
This new discovery is important particularly for those who are concerned about their personal data, and considering the increase in the market of smartwatches and wearable devices at the moment, the discovery will definitely made you to think before using one.
HOW TO PROTECT YOURSELF FROM SUCH ATTACKS
To protect yourself to be a victim of such attacks, use Near Field Communication (NFC) to safely transmit a PIN code to compatible smartwatches during pairing, but that would likely increase the cost and complexity of the devices. In addition, "using passphrases is also tedious as it would involve manually typing a possibly randomly generated string onto the wearable smartwatch," the report said.
Another option is to use original equipment manufacturers (OEMs) by Google as an alternative to make data transfers between either device more secure. "Or we could supersede the entire Bluetooth encryption between Android device and smartwatch and use a secondary layer of encryption at the application level," the report offered. There are almost certainly other potential fixes available.