WatchWitch — Hacking the Apple Watch
The Apple Watch is by far the most popular wearable device on the market and collects vast amounts of sensitive health data from an array of sensors. In this talk, we take a deep dive into the systems that power the watch’s deep integration into the Apple ecosystem and learn how our most private data is protected. Along the way, we will encounter proprietary protocols, flawed implementations of standards, and homebrew cryptography endangering Apple’s famously strong security.
With Apple adding new hardware capabilities to the Apple Watch year over year, modern watch models boast an impressive number of sensors in a tiny package: Your watch can track your location, do advanced activity detection, measure your heart rate, blood oxygen levels, skin temperature, and even take ECG readings. Beyond collecting intimate health data, the watch also integrates deeply with your iPhone — it can access your phone’s camera, share its internet connection, and synchronize many different kinds of data.
Over the last year, we have extensively reverse-engineered the complex protocol stack powering the seamless wireless communication between the iPhone and the Apple Watch. As opposed to other manufacturers, Apple makes heavy use of their own novel protocols and employs several standard and non-standard security measures — we present our analysis of these protocols, from the basic transports providing WiFi or Bluetooth connectivity all the way to how Apple encrypts and synchronizes actual heart rate measurements from the watch’s sensors.
While a lot of security research on wearable devices has focused on trivial issues in improperly secured devices, we use our insight into the Apple Watch protocol stack to analyze the security of a trillion-dollar company’s flagship wearable: The closest thing to a gold standard for smartwatch security we have. What we uncover is a reasonably solid ‘defense in depth’ architecture that is, however, weakened in several places by Apple’s tendency to go custom. We present two concrete vulnerabilities that were reported to Apple in the course of our research.