sMobile ? "width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0" : "width=1100"' name='viewport'/> android xda: Pebble SmartWatch DoSed through message bomb method, does a factory reset and loses all user data

Wednesday, 20 August 2014

Pebble SmartWatch DoSed through message bomb method, does a factory reset and loses all user data

If you have read this article you may be knowing about Pebble SmartWatch.  Pebble smartwatch has been developed by Pebble Technology Corporation and was released in September, 2013. Pebble smartwatch which ran on Android operating system was a instant success and PTC has sold over 1 million units of all versions of Pebble smartwatch as of July this year.  However Pebble is vulnerable to a DoS (Denial of Service) attack through message bombing.  The Proof of Concept for this DoSing was published Hemanth Joseph of White Hat Pages today.

Pebble SmartWatch DoSed through message bomb method, does a factory reset and loses all user data


As per Hemanth, he tested the Pebble smartwatch with firmware version 2.4.1 aboard it.  As published on his blog he,

1.    Connected  Pebble smartwatch to Sony Z2 smart phone
2.    Tested notification.
3.    Did a message bombing to through his own WhatsApp Account        through 1500 messages in 5 secs.

What he got was a garbled screen and a automatic factory reset. The auto reset caused him to lose all his data on the smart watch. Carrying the PoC a bit further, he message bombed it with 300 WhatsApp Messages in 5 secs and as expected the result was same. After testing various times he found out that during some of testing though the screen got garbled, the Pebble smartwatch didnt go for a auto factory reset.  He has noted that, to bring the bricked Pebble back to normal working, he had to reset it thereby losing all the saved data.  This is what his Pebble smartwatch looked like after the DoS testing.
Pebble SmartWatch DoSed through message bomb method, does a factory reset and loses all user data

As per the PoC given by him, any attacker who wished to DoS any Pebble smartwatch has to just get the potential victims Mobile number or Facebook id.  Once the attacker gets any of these, he can message bomb your Pebble smartwatch to death (reset). The smartwatch it seems is unable to handle large amounts of message transfers in limited time and has a auto reset mechanism which PTC should look into. 

No comments:

Post a Comment