There really should be a few posts around this topic. Bit like passwords really…..
Here’s the skinny.
Your phone has to talk to your wearable. If its a smart wearable, it might be a two way conversation. Data is sent both ways… Even if it’s a dumb device (like a step tracker for example) with mostly one way data, this security issue still applies.
The growing number of smart devices that interoperates with smartphones could leave text messages, calendar entries, biometric data, and other sensitive user information wide open to hackers, security researchers warn.
That’s because most smart watches rely on a six-digit PIN to secure information traveling to and from connected Android smartphones. With only one million possible keys securing the Bluetooth connection between the handset and the smart device, the PINs are susceptible to brute-force attacks, in which a nearby hacker attempts every possible combination until finding the right one.
First up, know that this attack was done on the old specification of Bluetooth. Version 4.2 addresses some of these issues, but not all.
Researchers from security firm Bitdefender mounted a proof-of-concept hack against a Samsung Gear Live smartwatch that was paired with a Google Nexus 4 running Android L Preview. Using readily available hacking tools, they found that the PIN obfuscating the Bluetooth connection between the two devices was easily brute forced. From that point on, they were able to monitor the information passing between the watch and the phone.
This opens a can of worms. A big can of worms.
In the case of the watch, the data passed back and forth could be really sensitive information….. I get email previews, images, appointment reminders along with location data… On and on the list of stuff that I may or may not want my attacker to read.
(I have not, but you can download two pass authentication apps that generate key codes that can be used to log into things like banking, network and data services – you are in effect, handing the keys to your digital life (and physical in the case of a bank) to the bad guys if you do this).
Hopefully you can see how much of a big deal this is.
I more to say, but this will do for now.
(The ‘more to say’ revolves around the security risks of even ‘dumb’ wearables).
