Google fixes smartwatch security problem discovered by Purdue researchers

WEST LAFAYETTE, Ind. — Purdue University researchers uncovered a serious vulnerability in Google’s Wear OS smartwatches. If left unpatched, the vulnerability could have allowed an attacker to crash specific apps, make the app or the watch unresponsive, or cause the watch to reboot continuously beyond the user’s control.

Saurabh Bagchi, a Purdue professor of electrical and computer engineering, and his team worked with the Google Security Team to replicate the attack. Google then released a patch to Wear OS and reported on June 24 that the vulnerability had been fixed.

Bagchi’s team discovered the vulnerability using a tool they developed, called Vulcan. The tool uses a technique known as “fuzzing” to identify weak spots, which means feeding a program or app different permutations of data until one of those permutations reveals a vulnerability.

Vulcan had identified this vulnerability in the latest version of the Wear OS (version 2.8) and 13 popular smartwatch apps on Google Play, such as Google Fit, Google Maps and Nike Run Club.

The researchers found that a hacker could get control over an app or the watch by manipulating the language that apps use to communicate, called “Intents.” Sending carefully crafted Intents at high volumes and when the operating system is less stable could overload the app or watch.

Bagchi and his team further describe how Vulcan discovered this Wear OS vulnerability in a paper presented virtually at the 18th ACM International Conference on Mobile Systems, Applications and Services (MobiSys) in June. Co-authors of the paper are Purdue graduate students Edgardo Barsallo Yi and Heng Zhang and research scientist Amiya Maji. Kefan Xu, a visiting undergraduate student from Beijing University, also contributed to this research.

The work shows a proof-of-concept mitigation technique. This mitigation could not be incorporated into the operating system without vendor support since Wear OS is not open source. Once Google released the patch, the Purdue team open sourced the codebase for the work on Github.

“It had been believed that the state of a wearable device or the application has an important relationship to the stability of the operating system,” said Bagchi, who has a courtesy appointment in Purdue’s Department of Computer Science and directs the Center for Resilient Infrastructures, Systems and Processes.

“We are the first to demonstrate that an overloaded state can be leveraged to cause the device to shut down and reboot, even without the adversary having root-level privileges.”

As wearable devices have become more popular, an increasing number of ways to use and interact with them has given rise to new weak spots. This is because each new feature added to a wearable device, such as a heart rate monitor or electrocardiogram, is a sensor that also comes with its own device driver software.

“Such device drivers have been found in conventional computers to be a weak spot,” said Yi, the lead author on this paper.

More weak spots are bound to show up as wearables continue to interconnect with other devices.

“We had done work uncovering security and reliability weak spots of Android about 10 years ago,” Maji said. “When we started the investigation into Wear OS, we found that most of those weak spots had been fixed, but the new modes of interaction of wearables had given rise to new vulnerabilities.”

The team started developing Vulcan in 2018 to address these issues, presenting early findings at the 48th IEEE/IFIP International Conference on Dependable Systems and Networks.

Vulcan’s aid to Wear OS shows that it can be used to detect vulnerabilities in a range of apps, making the tool an asset for software developers. Compared with other fuzzing tools, Vulcan also doesn’t modify the wearable device or app as it looks for hackable weaknesses.

“The specialized design of Vulcan empowers it to automatically expose many serious vulnerabilities in Wear OS, even though this product has been under intensive testing and maintenance by a large team at Google,” said Tianyin Xu, a leading expert in mobile systems who is unaffiliated with the project. Xu is an assistant professor of computer science at the University of Illinois at Urbana-Champaign and a program committee member of MobiSys.

According to Xu, bugs and vulnerabilities of wearable systems could lead to disastrous consequences, especially in settings such as hospitals. Vulcan could help address emerging challenges with making wearable systems more reliable and secure as they become more interconnected.

This research was supported by a Google Faculty Research Award and the National Science Foundation.

About Purdue University

Purdue University is a top public research institution developing practical solutions to today’s toughest challenges. Ranked the No. 6 Most Innovative University in the United States by U.S. News & World Report, Purdue delivers world-changing research and out-of-this-world discovery. Committed to hands-on and online, real-world learning, Purdue offers a transformative education to all. Committed to affordability and accessibility, Purdue has frozen tuition and most fees at 2012-13 levels, enabling more students than ever to graduate debt-free. See how Purdue never stops in the persistent pursuit of the next giant leap at purdue.edu.

Writer, Media contact: Kayla Wiles, wiles5@purdue.edu (working remotely, but will provide immediate response)

Source: Saurabh Bagchi, sbagchi@purdue.edu

Journalists visiting campus: Journalists should follow Protect Purdue protocols and the following guidelines:

• Campus is open, but the number of people in spaces may be limited. We will be as accommodating as possible, but you may be asked to step out or report from another location.
• To enable access, particularly to campus buildings, we recommend you contact the Purdue News Service media contact listed on the release to let them know the nature of the visit and where you will be visiting. A News Service representative can facilitate safe access and may escort you on campus.
• Wear face masks inside any campus building. Wear face masks outdoors when social distancing of at least six feet is not possible. 

Note to Journalists: A stock photo of smartwatches and a portrait of Saurabh Bagchi are available in a Google Drive folder. A video explaining how Vulcan can identify security vulnerabilities is available via Vimeo.

---

ABSTRACT

Vulcan: Lessons on Reliability of Wearables through State-Aware Fuzzing

Edgardo Barsallo Yi¹, Heng Zhang¹, Amiya K. Maji¹, Kefan Xu², and Saurabh Bagchi¹

¹Purdue University

²Beijing University

As we look to use Wear OS (formerly known as Android Wear) devices for fitness and health monitoring, it is important to evaluate the reliability of its ecosystem. The goal of this paper is to understand the reliability weak spots in the Wear OS ecosystem. We develop a state-aware fuzzing tool, Vulcan, without any elevated privileges, to uncover these weak spots by fuzzing Wear OS apps. We evaluate the outcomes due to these weak spots by fuzzing 100 popular apps downloaded from Google Play Store. The outcomes include causing specific apps to crash, causing the running app to become unresponsive, and causing the device to reboot. We finally propose a proof-of-concept mitigation solution to address the system reboot issue.