A Russian security researcher was able to hack into his own smart bracelet in a relatively easy way (well, easy for a programmer).
Roman Unuchek, a mobile threats expert at Kaspersy Lab, built an application that connected with dozens of devices in the wild and surreptitiously hacked into his own bracelet. He would not divulge what kind of device it is.
Smart bracelets are generally considered to be the “dumbest” of the smart wrist devices. They include Jawbones, Fitbits, Nike Fuel Bands, and numerous others that have no digital display but track movements and other biometric data. Their adoption has been rapidly rising — Nielsen predicts that a third of all US adult consumers will own some form of a wearable device by 2017.
So this hacking discovery may come as a wake-up call to companies trying to build out their wearables programs.
Hacking a smart bracelet generally consists of two parts:
- Scanning and connecting to the bracelet (the easy part)
- Gaining authentication — that is, spoofing the actual user’s identity — from the main app on the user’s smartphone (harder)
Unuchek was able to build an app that scanned the area for devices in his area. Most wearables connect using Bluetooth LE technology, a common low-powered protocol. Because these devices don’t have screens, they do not require passwords to connect. This made it a breeze to gain an instant connection from his hacking app to the devices.
He brought his new wearable-scanning app into the wild and connected to 54 devices in six hours. After one hour in a gym, he connected to 25 individual devices. While in a subway for two hours, he found 19 others.
The authentication proved a bit more difficult. If a bracelet is already connected with a smartphone, the only way for it to communicate with another app is for this new app to be given the go-ahead. This requires quite a bit of savvy coding, as well as slyly having the device-wearer consent to the app’s connection.
Unuchek’s bracelet sought out authentication by sending a vibration. All he had to do was press the only button on his bracelet to complete the authentication.
If a real-world hacker kept trying to connect to the device, and the user kept getting phantom vibrations on their arm, they’d probably press the button in an attempt to shut it up.
As Unuchek explained, “It is not difficult to make the user press a single button on the wristband. You just need to be persistent. You can keep trying authentication process over and over until the user finally presses the button or moves out of range.”
By following those two steps, he was able to access the bracelet’s data.
Of course, not much can be done with a hacked smart bracelet. The data these devices track are relatively benign. The hacker can learn how many steps the wearer made, or how well their sleep cycle is.
But Unuchek sees a future of nefarious wearable hacks. For example, as the devices become more intelligent they may track more personal biometric data including pulse sensors. Stores could use this data to detect how users respond to in-store stimuli. Or, in a more farfetched world, hackers could write a torturous line of code that makes a bracelet vibrate incessantly, and the attackers “demand money to make it stop.”
Whatever the possibilities with this data, Unuchek was able to highlight a real vulnerability in popular new connected technology. While he wouldn’t name the vendor, but it’s highly likely that this problem extends to numerous devices on the market.