from Hacker News

Bad Smart Watch Authentication

by _Microft on 2/9/25, 6:18 PM with 33 comments

  • by cogman10 on 2/12/25, 7:56 PM

    Now, I'm not going to say this is great, but honestly it seems pretty close to a "who cares?" situation.

    We are talking about a device with no internet connection that can only be accessed by someone in the same proximity to yourself.

    Perhaps don't buy this watch if you live in a crowded location and take public transport a lot. For everyone else, seems really unlikely that the people you interact with will have setup a malicious attack for your watch brand. I don't think wardriving smart watches is a thing.

    I'd only suggest that if the watch supports putting a credit card on it that you rethink doing that.

  • by asynchronousx on 2/12/25, 4:46 PM

    Great writeup, didn’t expect “bad authentication” to actually be zero authentication, that’s absurd.

  • by throitallaway on 2/12/25, 10:31 PM

    I get a little nervous about my Pixel watch. None of those watches have been updated since November and there are likely some juicy CVEs hanging out on them.

    https://developers.google.com/android/ota-watch

  • by mightysashiman on 2/12/25, 5:41 PM

    now if one could do some reverse engineering on Garmin watches and enable an opensource alternative to Garmin Connect, that would be marvellous.

  • by arijun on 2/12/25, 3:46 PM

    I wish there was a concept of paid expert reviews on Amazon/everywhere. A general review system works well (ignoring review gaming) when your concern is "Does this shirt fit?" or "What's the build quality?", but fails when one expert review of "This device is fundamentally unsound," gets drowned out by reviews on the more easily testable aspects ("The band is really comfortable!").

    A great example would be when Benson Leung was testing USB-C cables on Amazon to see which were standards compliant.