by RSS Axelle Apvrille  |  Oct 14, 2016  |  Filed in: Industry Trends

My personal favorite talk was on exploiting Pebble smartwatches ("Exploit Millions of Pebble Smartwatches for Fun and Profit" by Zhang and Wei). Our expectations are usually higher in one's own field of expertise, but this one is really great work.

I just returned from VB 2016 (the Virus Bulletin International Conference) held this year in Denver. My personal favorite talk was on exploiting Pebble smartwatches ("Exploit Millions of Pebble Smartwatches for Fun and Profit" by Zhang and Wei). Our expectations are usually higher in one's own field of expertise, but this one is really great work.

Basically, the authors found an inner assembly routine in Pebble's operating system that allows someone to elevate their privileges. If you are familiar with ROP, this is a privilege elevation gadget. Normally, this routine is called by Pebble OS only when privilege needs to be elevated, and then another routine is called to return to normal privileges. However, actually, nothing prevents a skilled hacker from calling just the privilege elevation gadget... and that's what the authors demonstrated.

Their conclusion is that any device with an ARM Cortex M processor is actually vulnerable to their hack. This is partly true, and partly exaggerated, because there are some other conditions. Let's detail.

The vulnerability is exploitable if

  1. The processor is an ARM Cortex M, because they have an MPU that sets higher privileges by just changing a bit. Processors with an MMU for instance are not vulnerable.
  2. AND the attacker is able to execute code on the device. For Pebble smartwatches, this is "easy" because applications are developed in C and run on the smartwatch itself. We'll see later, however, that this is not an easy condition to meet in all cases.
  3. AND there is a way to elevate the privilege without returning back to normal privilege afterwards. This typically happens if (a) the OS has a bug, or, as the authors found, if (b) a privilege escalation gadget exists.
  4. AND in case of (a), the attack is able to trigger the bug, or in the case of (b), the attacker is able to jump to the memory address containing the escalation gadget.

In practice, I have thought the problem over on 3 other connected objects I have personally investigated. Although 2 of them featured a Cortex M processor, as you can see in the table below, in practice it is highly uncertain the vulnerability would affect them. However, it would certainly be interesting to conduct more research on that.

Name Is the processor vulnerable? Can the attacker execute code on the device? Is the OS vulnerable or does a privilege escalation exist? Is the attacker able to trigger/jump to the address? Conclusion
ReconJet sports glasses No (Cortex A9)       Not vulnerable
Sony SmartWatch 2 Yes (Cortex M4) Not easy. Developer's code execute on the smart phone. It's not trivial to control what will be executed on the smart watch Perhaps - one never knows - research would need to be done, particularly on the microC/OS II OS... Difficult, because developers write Java code - without JNI - so it will be difficult to run assembly code to jump to an address for instance Perhaps but difficult
Fitbit Flex Yes (Cortex M3) Difficult. The device is not open to third party development. Perhaps, but same as for Sony's smart watch, that's research to be done. Not even certain what OS is running on the tracker. Perhaps, but that's research to do. Perhaps, nothing obvious. Research would need to be done

-- the Crypto Girl

by RSS Axelle Apvrille  |  Oct 14, 2016  |  Filed in: Industry Trends