Time's Up: Android-Based Smartwatches Hacked

Status
Not open for further replies.

scannall

Distinguished
Jan 28, 2012
61
0
18,590
Would it really be that hard to put a timer between password attempts? Even 1 second would suffice. And say a 15 minute cooldown after 5 wrong attempts?
 

lathe26

Distinguished
Apr 15, 2010
52
0
18,580
Two things:

1. This problem can easily be fixed by having the Smartwatches use Bluetooth's Secure Simple Pairing (SSP). This can greatly improve the pairing process. Easily fixed with an update to the Smartwatch.

2. What these hackers demonstrated was that Bluetooth pairing (which is a one time setup task) is weak if you pair with only a handful of PIN digits -during- the pairing process. However, if you perform the one-time pairing when no attacker is around, even if you used an extremely weak 1 digit PIN, then afterwards your Bluetooth link is extremely secure.

This does -not- show a fundamental weakness of Android Smartwatch technology.
 

neodude007

Distinguished
May 25, 2008
54
0
18,580
Would it really be that hard to put a timer between password attempts? Even 1 second would suffice. And say a 15 minute cooldown after 5 wrong attempts?

That is not exactly how the hack works. It is not asking the devices to pair with the bluetooh sniffer. The sniffer is just capturing the traffic but the traffic seems to maybe be encrypted with a 6 digit PIN. This allows software to brute force the captured data rather quickly (minutes) until the decrypted information is displayed.
 

NatureTM

Distinguished
Oct 19, 2010
13
0
18,560
I work as a software engineer writing Bluetooth device firmware at my job, and the vulnerability in the BLE pairing protocol has been known for quite awhile. If we're concerned about security, we just encrypt the data ourselves in the application before sending it over the wireless link. I'm surprised Google didn't take the same approach, or fix their Bluetooth stack implementation to support 128-bit out of band keying.

By the way, Apple also does not currently support Bluetooth's out of band keying feature, and I really wish both companies would support it sometime soon.
 
Status
Not open for further replies.