DoSing Pebble SmartWatch And Thus Deleting All Data Remotely

Posted by Hemanth Joseph on 6:46 PM



                                           Pebble Dos Vulnerability




                                                                                           Hemanth Joseph
                                                                       [email protected]



            During my recent security research on Pebble Smart watch and its Android/iOS application, I found one critical Dos vulnerability by which we can delete all data’s, apps, notes, and other information stored in it remotely .

About Pebble Smart Watches !


              Pebble smartwatch is developed by Pebble Technology Corporation and is released in 2013 . It is considered as one of the BEST Smart Watch available out there and is compatible with Android and iOS . Over 10 lack units of Pebble sold as of July 2014 .


 



Pebble Dos Vulnerability !!!  [POC]


                      
                   Pebble Smartwatch when connected to a Phone will give a Vibrating alert to Calls, Messages, E-mails, etc .. . I’m testing a Pebble with its latest v2.4.1 Firmware .

                  For every messages from Whatsapp or Facebook Messenger or such apps  Pebble will give an alert with the whole message displayed on its screen . There is no character limit in showing such messages. Even if we get a lengthy 100 word message from whatsapp with an alert Pebble will show the whole message in its small screen . From this itself it is clear that we can make it freeze by giving it a lot of notifications to display . But what actually happened during my testing shows how serious this Bug is .


What I Did Is ......


1.     Connected my Pebble Smart Watch with my Sony Z2.
2.     Tested if I am getting notification or not.
3.     Did a message bombing to my own Whatsaap Account [1500 messages in 5 sec ]

What All Ended Up With?



      As expected the whole screen of my Pebble became filled with lines ( As shown in the Picture  ) .  Soon itself it got Switched Off automatically and executed a Factory Reset without any actions from my side to do so ! . Due to that automatic Factory Reset I lost all my Apps and other data’s which I was having in my Pebble .

The same occurred even when I decreased the no. of messages to 300 in 5 sec .

By exploiting this Dos bug a person with your FB ID or Mobile Number or any such thing  can  remotely DELETE all your data’s in your Pebble by simply giving you a Small Message Bomb .



Possible Fix


·        Give a Character limit while showing such messages in Pebble .
·        Remove the Automatic Factory Reset Bug .


 



**UPDATE**


   After the freezing of your Pebble you will see a lot of white straight lines all over the screen. We can’t make it back to a working condition by simply Switching it off   we MUST do a Factory Reset in order to make it working again . So it is sure that all your data will be Deleted if your pebble gets a DoS !


Thank You For Reading .

Categories: