A few days ago, phoneArena published an article with this title: Hackers can grab personal data from your smartwatch. Because it was only linking to a teaser for a later release and we are using one, it was an opportunity to investigate instead of wait.
The researchers interviewed didn’t publish the paper containing their findings yet, so here are some already:
The only device studied in this article is Sony’s Smartwatch 3 running the latest official 5.1.1 build. Before that the unit wre never flashed manually or modified in any way.
Current Android Wear watches security model
As an Android Wear device, it runs Android platform just like phones and tablets.
In a typical Google fashion, the bootloader used implements fastboot commands and it is locked by default.
The primary security model behind fastboot devices is such as you cannot dump or steal user data from a bootloader-locked unit as long as the owner enabled a lockscreen security mechanism.
- the watch bootloader is locked by default
- MTP USB file sharing and adb debugging are disabled until Android lockscreen is unlocked
- unlocking the bootloader (fastboot oem unlock) wipes user data
- after the bootloader gets unlocked and personal data wiped, you can boot a custom kernel image, flash any partition, dump all partitions from a custom recovery.
This simple model should protect from attempts at stealing personal data from the USB connection.
It rely solely on bootloader security.
What this model does not protect against is:
- local vulnerabilities and privilege escalation
- hardware attacks to read the data from the eMMC chips directly
In conjunction with the bootloader security, an Android Wear device has to be factory-reset, which wipes all user data on the watch to be Bluetooth paired with another smartphone or tablet.
This security model is simple but conceptually sound in theory.
It is still vulnerable to attackers equipped with the hardware required to dump eMMC flash memory.
It is worth noting already that bootloader security has historically been weak. Few devices resisted to cracking efforts, involving cryptography, bypassing via the lower-levels 1st or 2nd bootloaders running before the visible bootloader or usage of JTAG physical connection.
Today, Android Wear smart watches offer a pattern lock screen that’s automatically enabled from accelerometer’s data but unlike phones or tablets, the OS does not offer a full disk encryption capability as shown by the mount command on the Sony Smartwatch 3:
/dev/block/platform/sdhci.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,data=ordered 0 0 /dev/block/platform/sdhci.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,relatime,discard,noauto_da_alloc,data=ordered 0 0
Sony Smartwatch 3 bootloader
Because Android Wear data security model relies on the bootloader, it is expected that the fastboot oem unlock command will wipe all user data before allowing any booting or flashing operation.
Here is what happens with Sony and Google’s latest firmware:
$ fastboot oem unlock (bootloader) : WARNING: Unlocking your device will void your warranty (bootloader) : and erase your personal data from the device. (bootloader) : Run "fastboot oem unlock" again to confirm. (bootloader) : Device still locked. OKAY [ 0.008s] finished. total time: 0.008s
Because the watch doesn’t have physical buttons to choose and confirm an unlock and pressing the wrong virtual button on a tiny touch screen is error-prone, the manufacturer chose to implement this two-steps mechanism, which looks good so far.
But a flaw in the bootloader implementation already allows to fastboot boot a custom kernel image, as found initially by XDA Recognized Contributor [NUT].
This has been validated working on both 5.0.2 (previous) and 5.1.1 (current) Sony firmwares.
$ adb shell 'stty raw; tar c /data 2>/dev/null' > userdata-dump.tar
Example of personal data found
- Photos of the favorite & popular contacts
- Google Keep notes’ images
- list of favorite & popular contacts
- complete content of Google Keep notes
- Partial history of notifications sent to the watch including full email content, Hangout discussions (20 last messages)
data/misc/wifi/networkHistory.txt and misc/wifi/wpa_supplicant.conf
A long list of Wi-Fi hotposts known to the paired phone.
Concrete exemples from our unit: ZurichAirport, Free_WiFi_GVA, _Heathrow Wi-Fi, GH4-3418D4, unpacked 2015 wifi, LeMeridien. Revealing airports and hotel names, events attended, camera used.
Passwords are also present wpa_supplicant.conf , in clear text for each known private network.
An attacker dumping your watch will gain access to your home or company private networks.
Contains all fitness data. Note that the data points need adequate software to be interpreted.
Entries network_id, network_secret, private_key, cloudSyncId could be entry points
Personal Google Fit history in JSON format, favorite sports, height, weight.
Some applications like Endomondo, MyTracks, Ghostracer store GPS and heart-rate tracking information in database that can be found on disk.
Fortunately, once the watch and paired smartphone apps have the chance to synchronize their data, those database are purged on the watch.
How an attacker could dump this data?
Physically accessing the watch for a short time is enough to dump everything it contains or a few specific files.
The watch could be stolen, left on a table or a night stand.
After that, the attacker would reboot in fastboot mode using the instructions found in this post, plug a computer/phone/tablet to the Smartwatch’s Micro-USB port, semi-unlock the vulnerable bootloader, boot a custom recovery and acquire your personal data in about 5 minutes.
There is no known workaround now beside keeping the watch on your wrist at all times and factory-reset it when you have to take it off.
Fortunately, most third party developers tend to store as little data as possible on the watch which reduces the amount of data that can be stolen.
The worst offenders today are probably Google Keep which syncs every note content by default to the watch, Wi-Fi credentials and discussion histories.
Q: Does a lockscreen pattern protect my data?
A: Like other Android Wear devices, Sony’s device allows to get in fastboot mode using only the power button.
Having the USB debugging developer permissions to use adb reboot bootloader, is not a requirement, therefore a lockscreen makes no difference
Q: How can Sony mitigate the issue?
A: By releasing a bootloader behaving according to Google’s specification, which should allow to fastboot boot kernel images only after a successful unlock which wipes all user data.
Q: Will the Smartwatch 3 be secure after being updated with a fixed bootloader?
A: Security relying on locked bootloader mechanism have been defeated many times. A better solution would require adding full disk encryption on the userdata partition, or the brand new ext4 per-file encryption on anything sensitive.