As smartwatches become more popular, an increasing number of ways to use and interact with them has given rise to hackable weak spots in their operating systems and apps. (Credit: Unsplash)

Purdue University researchers uncovered a serious vulnerability in Google’s Wear OS smartwatches. If left unpatched, the vulnerability could have allowed an attacker to crash specific apps, make the app or the watch unresponsive, or cause the watch to reboot continuously beyond the user’s control.

Saurabh Bagchi, a Purdue professor of electrical and computer engineering, and his team worked with the Google Security Team to replicate the attack. Google then released a patch to Wear OS and reported on June 24 that the vulnerability had been fixed.

Bagchi’s team discovered the vulnerability using a tool they developed, called Vulcan. The tool uses a technique known as “fuzzing” to identify weak spots, which means feeding a program or app different permutations of data until one of those permutations reveals a vulnerability.

Vulcan had identified this vulnerability in the latest version of the Wear OS (version 2.8) and 13 popular smartwatch apps on Google Play, such as Google Fit, Google Maps and Nike Run Club.

Saurabh Bagchi (Purdue University photo/Vincent Walter)

The researchers found that a hacker could get control over an app or the watch by manipulating the language that apps use to communicate, called “Intents.” Sending carefully crafted Intents at high volumes and when the operating system is less stable could overload the app or watch.

Bagchi and his team further describe how Vulcan discovered this Wear OS vulnerability in a paper presented virtually at the 18th ACM International Conference on Mobile Systems, Applications and Services (MobiSys) in June. Co-authors of the paper are Purdue graduate students Edgardo Barsallo Yi and Heng Zhang and research scientist Amiya Maji. Kefan Xu, a visiting undergraduate student from Beijing University, also contributed to this research.

The work shows a proof-of-concept mitigation technique. This mitigation could not be incorporated into the operating system without vendor support since Wear OS is not open source. Once Google released the patch, the Purdue team open sourced the codebase for the work on Github.

“It had been believed that the state of a wearable device or the application has an important relationship to the stability of the operating system,” said Bagchi, who has a courtesy appointment in Purdue’s Department of Computer Science and directs the Center for Resilient Infrastructures, Systems and Processes.

“We are the first to demonstrate that an overloaded state can be leveraged to cause the device to shut down and reboot, even without the adversary having root-level privileges.”

As wearable devices have become more popular, an increasing number of ways to use and interact with them has given rise to new weak spots. This is because each new feature added to a wearable device, such as a heart rate monitor or electrocardiogram, is a sensor that also comes with its own device driver software.

“Such device drivers have been found in conventional computers to be a weak spot,” said Yi, the lead author on this paper.

More weak spots are bound to show up as wearables continue to interconnect with other devices.

“We had done work uncovering security and reliability weak spots of Android about 10 years ago,” Maji said. “When we started the investigation into Wear OS, we found that most of those weak spots had been fixed, but the new modes of interaction of wearables had given rise to new vulnerabilities.”

The team started developing Vulcan in 2018 to address these issues, presenting early findings at the 48th IEEE/IFIP International Conference on Dependable Systems and Networks.

Vulcan’s aid to Wear OS shows that it can be used to detect vulnerabilities in a range of apps, making the tool an asset for software developers. Compared with other fuzzing tools, Vulcan also doesn’t modify the wearable device or app as it looks for hackable weaknesses.

“The specialized design of Vulcan empowers it to automatically expose many serious vulnerabilities in Wear OS, even though this product has been under intensive testing and maintenance by a large team at Google,” said Tianyin Xu, a leading expert in mobile systems who is unaffiliated with the project. Xu is an assistant professor of computer science at the University of Illinois at Urbana-Champaign and a program committee member of MobiSys.

According to Xu, bugs and vulnerabilities of wearable systems could lead to disastrous consequences, especially in settings such as hospitals. Vulcan could help address emerging challenges with making wearable systems more reliable and secure as they become more interconnected.

This research was supported by a Google Faculty Research Award and the National Science Foundation.

Source: Google fixes smartwatch security problem discovered by Purdue researchers