| ▲ | quinnjh 5 hours ago | |
Article was a bit of a nothingburger for the technically inclined. Digging into the paper, the significant finding (RCE) is achieved via: A payload was written which installs a reverse shell backdoor for root persistence. The payload was sent from a computer hosting a Wi-Fi to which the watch was connected, to ensure the watch had a reachable IPv4 address. The program ncat was used both to send the payload to the watch's network service, and to catch reverse shell connections. So if i understand this- it requires the watch being connected to a compromised AP. Anyone get a different read? | ||
| ▲ | purplehat_ 3 hours ago | parent | next [-] | |
The quote seems to imply that if the watch receives the payload from any source, even without a compromised AP, it'll pop the shell. The easiest source of this is local network attacks, and it's not that unusual. In this case you could imagine a teacher at school who knows how to use Metasploit. It doesn't seem like it has to be local network, though, the computer just has to receive the packet somehow. So for example if the watch loads a website or connects to some service on the internet (firmware updates, cloud sync, telemetry, whatever), an attacker could try to receive/intercepts/redirect that traffic and serve the payload through that channel. You might need the watch has no certificate pinning or weak certificate validation if it's using TLS but IoT devices often skip TLS. Let me know if I'm misunderstanding the quote. | ||
| ▲ | pixl97 4 hours ago | parent | prev [-] | |
Hence why modern secure devices use https to ensure MITM doesn't work because the internet is untrusted at large. | ||