BitDefender Exposes Potential Android Wear Vulnerability

Mobile / Tech
BitDefender Android Wear

Bluetooth communication is great, but how secure is it really?  A team at BitDefender – an Antivirus company – wanted to find out just how much information could be intercepted from the communication between an Android phone and an Android Wear device.  Just how much they were able to see might be surprising.

Using a Nexus 4 device running the Android L Developer preview and an LG G Watch (called an LG L for some reason in the video below), Liviu Arsene – Senior Security Analyst at BitDefender – was ultimately able to intercept a hangout message transmitted from the Nexus 4 to the G Watch. He was able to do this because the code pairing the phone to the watch is only 6 digits, and can be cracked easily using a brute force attack. Once in, Arsene was able to view the information passed between the two devices in plain text.

While this vulnerability could be found with nearly any paired Bluetooth devices, it’s particularly troubling for something like a wearable device.  Your phone and smartwatch pass all sorts of personal and private information – messages, purchases, even biometric data Arsene mentions.  Chances are good that most people wouldn’t have the interest or knowledge to try and force their way into these communications, but that the possibility exists is troubling.

Some comments on the YouTube video point out that it appears BitDefender is using a method that requires USB debugging to pull the phone’s logs, and that standard Bluetooth pairing would be difficult to crack. Others point to potential weakness in Bluetooth LE that could potentially allow for this sort of snooping.  Arsene stops short of suggesting that users download BitDefender’s Android app, though I wouldn’t be surprised if a follow up video extols the virtues of their app and tells you all about how BitDefender might keep you safe from these sorts of attacks. Check out the video below and see what you think – legitimate threat? Or thinly veiled sales attempt?

  Source: ZDNet
To Top