Notifications on Android Wear are encrypted with an easy-to-crack PIN

The encrypted communication between an Android phone and a smartwatch with Android Wear is protected with a pin code of only six digits. That’s what a security company claims. Anyone who cracks the six-digit PIN code can intercept notifications from users.

With cracked PIN codes, intercepted traffic can be decrypted and messages can be read, says a BitDefender security researcher. Cracking the PIN wouldn’t be difficult: because it’s six digits, there are up to a million possibilities. With a brute force attack of open source tools, that code is easy to retrieve.

The phone sends notifications over the bluetooth connection, such as chat messages, emails, text messages and incoming phone calls. To intercept the traffic, the attacker must be close to the user, so that the bluetooth connection is in sight. The researcher used a Nexus 4 with Android L Preview and a Samsung Gear Live smartwatch with Android Wear.

Current smartwatches and telephones connect via bluetooth 4.0 and 4.1, versions in which the Bluetooth SIG steering committee has deployed weaker security than in older bluetooth versions, because it proved impossible to implement in time. This has been changed in version 4.2. Moderate security is not a problem for many Bluetooth connections, but traffic between an Android smartphone and an Android Wear wearable can contain sensitive data. Google has apparently not chosen to add an extra layer of security.