Federal agencies and businesses face growing exposure to wireless threats as modern devices introduce new cybersecurity attack vectors that traditional security tools cannot detect or control. To mitigate consumer and enterprise risks associated with IoT devices in no-phone zones, Bastille Networks’ wireless intrusion detection system identifies and quarantines unauthorized emitters and behavioral abnormalities before data breaches can occur. Explore real-world examples of how Bastille’s IoT security solution proactively defends mission-critical environments from covert emissions, unapproved device behavior and Wi-Fi deauthentication attacks.
Anthony Jimenez
Welcome back to CarahCast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team.
On behalf of Bastille Networks, we would like to welcome you to today's podcast. Adrian Sanabria and John Bundy kick off the wireless threat series by exploring smartwatch security risks. They discuss how features like Wi-Fi, Bluetooth, cellular, and sensors create new attack surfaces, highlighting real-world incidents involving data leaks and compromised devices.
The episode covers both personal privacy risks and enterprise concerns, along with practical advice on vendor trust, risk tolerance, and updating security policies to account for smartwatch capabilities.
Adrian Sanabria
Welcome to the wireless threat podcast series sponsored by Bastille Networks. I'm Adrian Sanabria, and joining me is John Bundy. How you doing, John?
Doing well. How are you doing, Adrian? I'm doing great.
I'm looking forward to this new series and all the nerdy stuff we're going to cover. I'm very much a gadgets person, so I love that this really kind of lands in my sweet spot. I probably see myself buying gadgets just, you know, as like visual demonstrations, or maybe we'll get to actually doing some live demos here.
So I'm very excited for that. I need very little excuse to buy gadgets, so I'm very excited. All right.
In this podcast series, we explore a new class of device or threat in each episode. We help you understand the threat, walk through some real-life scenarios, and as I mentioned, even do the occasional live demo. Ultimately, the goal is to answer your questions as to whether you should be worried about these things.
If you have any devices, threats, or attacks you want us to dissect on this podcast, please let us know in the comments. We would love to get some audience-submitted suggestions there. And this week, we're discussing smartwatches.
So let's get started. All right, John. So I already held one up here.
I am a huge fan of Pebbles. I love smartwatches. I have a very specific idea of what a smartwatch should be and what it should do for me.
I tried using an Apple Watch for a year, and I mostly hated it. It wasn't just the battery life, but the interface, the trying to find things. It just seems like Apple is packed.
Their idea of a smartwatch is almost the same as an iPhone, which is not the product I want at all. I want something simple that does three or four things really well. Tell me what the weather is.
Tell me when my next meeting is, and maybe give me some timers. Not a whole lot more than that. But you've done some research.
You've looked into smartwatches here. How do you view this device category?
Jon Bundy
Well, first, I'm very similar to you in that I have a smartwatch, too. I'm wearing one here. I have very few needs for it.
I don't want a full-fledged phone. I use it, surprisingly, I think the most common thing I use it for is for countdowns when I'm cooking. But I really wanted something to help with sleep, and that works really well for that.
And like you, I found weather on it that's kind of nice as well. So very limited use cases. But as far as your question was about what do I think about smartwatches in general and their risks, I see kind of two main categories, right?
There's consumer risk or threat risks to the person, and there's business risk. And we're going to talk about both today.
Adrian Sanabria
Yeah. Yeah, and I think it might be good to start out just talking about, I think because Apple has kind of dominated this category, I mean, there are Android, Wear OS, Google-based smartwatches as well. But most people think of that kind of form factor, but there are the Garmin's out there.
And then there's also some kind of DIY hobby class devices you can strap on your wrist. So when thinking of it from a, maybe more of a penetration testing standpoint, there's some things that are more purpose-built than just a general purpose Apple watch. Does that broaden the attack surface some if we consider some of those other devices?
Do you really consider them a threat or not?
Jon Bundy
I guess, yeah, if you broaden that smartwatch category to include things you wear on your wrist, it certainly includes some interesting devices that you'd almost consider to be novelty, but still you'd like to know about them, right? I think you're talking about in particular something called the ESP32 deauthor.
Adrian Sanabria
I ordered one and it's not here yet, so I can't demonstrate it.
Jon Bundy
Yeah, that's a pretty common capability that's been around for quite a while. Lots of blog posts on it. I think it started with the ESP8266, if I remember the model, the previous model correctly.
2.4 gigahertz only device that sends out deauthentication frames to your Wi-Fi networks.
Adrian Sanabria
It's been documented. Explain a little bit what that does, what deauthent does.
Jon Bundy
So a deauthentication attack on Wi-Fi, it's a command that says, leave the network and you can send it to the clients. So what you do is you spoof the access point, it's a MAC address, and you send this request either to a specific client that you already know or to all the clients and you say, please leave this network. It's not a please, it's more of a leave the network.
Again, these are limited to the 2.4 gigahertz band, which is still frequently used and commonly used. There are ways to mitigate this. The Wi-Fi specification has evolved to add protection against this, but it comes with some of your newer specs, WPA3 has it mandatory.
You can use it with WPA2, your older versions, but a lot of clients don't support it. So now you've got this trade-off, you know, do you want to have better security or more compatibility with your clients? And so it still works because of that.
Adrian Sanabria
Yeah, maybe your surveillance cameras or something like that are only 2.4, you know, they don't work with the latest specs. And maybe that's the use case here. Maybe I'm a pen tester and I want to see if I can stay off your surveillance cameras by de-authing them from the network or something like that.
I don't know if that would actually work. I'm just off the top of my head throwing that out there.
Jon Bundy
I think one of the more common use cases is to de-auth clients to try to get them to connect to an attacker control access point. So it's the first step in some attacks. Another reason you do it is to try to capture handshakes and WPA personal networks.
So it is often a first step.
Adrian Sanabria
Yeah.
Jon Bundy
So it's kind of a neat twist on your smartwatches in general.
Adrian Sanabria
And then there's kind of the other side of this, like, you know, one of the things I want to do in this wireless series is also address threats that aren't really threats. Like sometimes there's some myths out there. You know, and I think one of these things, like when you see wearable devices in the news around cybersecurity, with cybersecurity as a topic, one of the things that often comes up are fitness trackers and Strava, right?
You know, and that's not exactly a smartwatch. Like there's all kinds of fitness devices that, you know, you've got chest straps, you've got things that clip onto your clothing, you know, not all of them are in the watch form factor. But do you consider that as part of the threat model here, part of the attack surface, or is that more of an application, you know, is Strava more the threat than the fitness tracker there?
Jon Bundy
Yeah. In this case, I guess I would categorize that more as kind of your general cloud-based threat, right? So in general, when you have data in the cloud, there's a risk, right?
There's always a risk. We hear about data leaks all the time, passwords being stolen, personally identifiable information being stolen from these databases in the cloud. And a smartwatch is just one more vector to get data into the cloud, right?
But now the data is maybe a little more important to you. You have to consider your personal risk profile, right? This is your health data, your sleep data, your location being sent to the cloud.
Not only the smartwatch vendor's cloud, but very often, in this case with Strava or other third party, more of a social cloud where you share additional data to a third party in the cloud. And then you publicly make it available because of social networks. That's where that leak you're talking about came from.
Adrian Sanabria
And now we know where the general is because of their bodyguards going out for morning runs, right?
Jon Bundy
Yeah, that was exactly the case, right? They found these near the military facilities that people were wearing, using Strava, and you could tell where their patrols might be or where their morning run might be or where the interesting buildings might be. Just without any, it was all anonymized data, it was heat maps, but it gave a heat map of activity.
And so we don't really consider that when you put on that smartwatch or fitness tracker, where that data goes, right? So is it a risk of the smartwatch? I would say that it enables it.
It's a general cloud-based risk that we should all consider. And social media sharing as well.
Adrian Sanabria
I think it's also worth mentioning, you know, since this is kind of a wireless-focused series, you know, what kind of hardware, what kind of capabilities from a wireless standpoint we tend to see inside the smartwatch form factor?
Jon Bundy
Yeah, so like, they're kind of like mini phones or mini computers at this point. They've got a little OS, an operating system, applications, and they have various ways to communicate. And usually you don't use, you know, an Ethernet cable in them, but you can have Wi-Fi, perhaps, cellular, a SIM card, Bluetooth, and possibly NFC, near-field communication, for payments and other activities.
So there's maybe four different radios possibly in these smartwatches.
Adrian Sanabria
With my Apple smartwatch, that wasn't immediately obvious to me. Like I realized that at some point, like when it would play a video or show me an image or something like that, I'm like, there's no way I'm getting that over just Bluetooth. And it was not obvious to me that my watch had a Wi-Fi chipset and was connecting to Wi-Fi and grabbing that stuff directly rather than the phone passing it off to me.
Because what I have, like my main watch before and after that Apple watch is a Pebble watch and it just has the Bluetooth. And it relies on the phone for pretty much everything. Whereas these Apple watches, there are people now that use them as their main devices.
Like this is one of these like moving to a minimalist phone where they're actually using Apple watches as their minimalist phone. And you can buy little cases where you take the bands off the watch and you snap the whole Apple watch, you know, just a little centerpiece here into a thing with controls on it. And you use it as a little tiny phone with a tiny screen on it.
Yeah, it keeps you off of Instagram and TikTok and all that.
Jon Bundy
Yeah. I don't know if I could go that small though. Yeah.
Adrian Sanabria
Well, I mean, that's kind of the idea is it frustrates you from using the Internet because it's not convenient to use. So you use it less.
Jon Bundy
And you brought up a good point. Like you didn't even know it's using Wi-Fi and weren't cybersecurity aware. But some of these things, there's convenience and security tradeoffs happening all the time.
And that's one of those convenience things where once it's connected in the Apple ecosystem, all that stuff about Wi-Fi can just be shared and you don't need to worry about it. It just happens. Right.
You didn't set it up to connect to a Wi-Fi network. Maybe you did, but it could just be just as common for the phone to handle that for you and automatically configure it to use Wi-Fi when you're in range.
Adrian Sanabria
Yeah. And that was the thing that surprised me is I never connected it to my Wi-Fi. Apple just hands off the credentials for the Wi-Fi to the to the watch and it works the same way with the payments.
Right. And sometimes it does and sometimes it doesn't. I think I actually had to do something to be able to use payments from the watch.
Like very intentionally, I had to say that I want this card to be available on the watch, whereas I didn't specifically tell it to share that Wi-Fi information. So sometimes like you have to confirm something specifically. And sometimes it just Apple is just helpful.
It does things without asking you. How clandestine can you be with this kind of form factor? Like what do we see people doing potentially with smartwatches?
Like from a threat perspective, if you have, say, a contractor coming into a data center or something like that to do some work, you know, what could I sneak in? You know, like maybe put let's put on our red team hats here.
Jon Bundy
Yeah. So thinking about it from a red team perspective and attacking perspective, some of the the behavior is enabled by the fact that there might be no phone zones, but they're not often no watch zones. Right.
So you might have to leave your phone behind and think, OK, well, that's a pretty good security step. Right. Let's let's keep those behind because those things can just sniff data.
They can they can take pictures. They can record that. We clearly know we don't want this in the sensitive area, but then you might not have the same policy for the watch.
And people might not even.
Adrian Sanabria
Watches can't take pictures or can they?
Jon Bundy
Well, yeah, that's changing more and more do currently, especially Android, like you mentioned, the phone replacement sort of concept, there's Android phone replacement sort of watches that do have the camera. I looked at another one. I'm not sure what the OS was, but it had a pop out watch in the little watch file, the little knob on the side.
And so you wouldn't even know by looking at it, but you can pop that out and hold it kind of like this and take a camera instead of turning it like that. Right. So that's pretty clandestine in my opinion.
Adrian Sanabria
Yeah, you look like you're scratching your nose or something and you're snapping pictures.
Jon Bundy
So you can sneak that watch and it's not even sneaking in. Right. People might not think to to ask you to remove it.
A lot of these smartwatches now do have microphones. We know that from the voice assistants. A lot of them have voice memo recording capability.
Well, that's a way to record information from conversations and that data center should go by that might maybe shouldn't be recorded. We just talked about some of them have cameras. There's a way to just kind of, you know, take a picture.
So those are the sorts of things they could do from a malicious insider contractor. So another one that that's coming up that I see, you know, I've used this concept in the past is Bluetooth file transfer. Don't you have access to a phone?
Let's say that is a malicious insider. You have access to your computer. You can maybe that computer is secured and it doesn't allow a USB file transfer.
And all that. Well, they might not have secured Bluetooth on it. You can do a Bluetooth file transfer to your watch.
You can do it just as easily to your phone. But again, if this is a no phone zone, but you have your watch in there, there's another potential vector for exfiltration.
Adrian Sanabria
You know, some of these cheaper devices or, you know, sometimes there are knockoffs that that this was something I found when I traveled to the Middle East years ago was that there is this kind of, you know, in the U.S. they kind of crack down on this kind of stuff. But there are some markets where you can find something that's running iOS, but the hardware is clearly not Apple's hardware. And I was kind of shocked to find that.
But, you know, what's some of the more nefarious stuff that you found that people should be, you know, if not from an enterprise standpoint, you know, certainly from a consumer standpoint, should be wary of?
Jon Bundy
Yeah, from like a personal risk, just again, with all this data it's collecting, it goes back, I think, to vendor reputation. So you brought up a good point, right? There's your clones, counterfeits, whatever you want to call them that are built to a different price point, we'll call it.
They're available. They might not have the same privacy policies and security policies that Apple, Google, Samsung may have. Kind of a get what you pay for sort of concept there.
Yeah, these less expensive, less reputable devices might not be as secure in general. They might actually have intentional malicious applications or firmware put on them. And I've seen examples of both of those.
So one example, which was interesting is, is almost a spear phishing like attack where somebody wanted to replace their fitness tracker or they went on Amazon. They were recommended a certain model that had a storefront there. They purchased it.
Well, what this person didn't know is that an ex colleague that had a bone to grind with him was running that storefront and they were able to deliver some white label fitness tracker, right? That they controlled. So now it's like a supply chain attack with some spear phishing.
So it's, it's a pretty complex attack chain, but, but I think the concept is if you don't know who's providing that, right? Maybe you shouldn't trust it in this case. Again, there's some malicious firmware applications on there that would see two factor authentications come via SMS and share it back out.
And the, this ex colleague was able to use that to log into a system he shouldn't have been able to log into. So that's one example of, you know, some cheap devices, maybe not from a reputable vendor in, in, in combination with a spear phishing attack, where it was very, very targeted to that individual. But again, the concept is you don't know the supply chain.
What do you trust?
Adrian Sanabria
Yeah.
Jon Bundy
In this case, maybe vendor reputation.
Adrian Sanabria
Exactly. Yeah. And it's, it's so common now to you know, especially if you're buying stuff off of Amazon to find vendors you've never heard of.
You know, creating different devices. And for me, one of the biggest red flag phrases is I got a great deal on this. Look at the great deal that I got on.
Like that always raises an eyebrow for me. So yeah, if you, you hear your spouse or your parents or kids saying something like that, you know, maybe check into it a little bit. There's some really shady stuff out there.
Jon Bundy
You know, I will say that there, there are places that review those privacy agreements. It's probably worth looking into that.
Adrian Sanabria
I think Mozilla is one, right?
Jon Bundy
Yeah. They, they review those. That's a very nice thing to look at.
Like if you're concerned and I did this for Christmas, I was going to get a smart watch for my wife and I was concerned about data collection and I'd look through eventually I settled on Garmin as the least bad, right. Of all of them, as far as what they collect and what their privacy policy was. And I explained to my wife what the pros and cons were of sharing that data, you know, from a personal risk standpoint, I, I personally don't like putting anything in the cloud, so I have mine strictly as an offline watch and it doesn't, it doesn't send anything anywhere but to my phone.
With her, I explained the same things. I said, look, you can have the same sort of experience, but I'll tell you, it is a little more difficult, right? It's harder to get the weather.
It's harder to look at your statistics or whatever, or you can use their app and realize that they are going to put stuff in the cloud and they say they're going to protect it and here's what they say they're going to do and to make a decision based on that. So it's really a personal choice on that.
Adrian Sanabria
Yeah, it just occurred to me, it might be fun for some of these episodes to go back and watch some James Bond, some, some of these movies and see like from 20 years ago, like how much of this is actually possible in these foreign factors now, you know, the, these things where Q is giving James Bond some kind of gadgets that can do crazy things. You know, I think some of that, it might be fun to do that, fun to, fun to see how much technology is caught up with the imagination in spy movies. Anything else that you've researched here that we haven't touched on yet before we get to, I was going to try out giving each of these threats, each of these devices, a score.
Jon Bundy
Yeah, there's some other things. So again, as you mentioned, I was researching what watches are out there, what their capabilities are. That's how we discovered, you know, they've got four radios.
Some have microphones, cameras, they almost always have Bluetooth. Some can do file exchanges. Some can't.
And here's how confusing it is. I was trying to figure out if my watch had a microphone. I didn't know.
And I looked and it said, yeah, I'm like, what? And they checked like, oh, there was a model update that enable it. And I, I don't.
So I'm like, okay, great.
Adrian Sanabria
So you physically don't have the hardware or it's not enabled. Okay.
Jon Bundy
Physically don't have it. According to, there's no, you should look for a pinhole for the microphone. You know, I did a double check.
My watch doesn't have storage.
Adrian Sanabria
These pebbles, these pebbles do, if you can see right there, there is a microphone. And I, I actually have a Claude app on my, on my pebble, my very, very basic pebble where I can speak a prompt and it'll send it off to Claude and I'll get the result from Claude, makes it, makes it, makes it feel a lot more premium and modern than, than it actually is. But it does have that microphone on there.
Jon Bundy
Yeah. So. Like I said, it's hard to tell sometimes the capabilities.
So you really should do your research, but given those capabilities, we talked about some exfiltration. Another example of kind of a terrifying, I don't know if it's really a supply chain, but there's a child's watch called an Explora something or another. There there's still the brands around.
It still sells children's watches and it has a camera as a lot of these children's watches tend to do so that parents can check in and they can do a video call, you've got a SIM, it's cellular connected. Um, they can take selfies with it. Pretty cool.
Hard to do exfiltration with a big purple watch with an obvious camera. You know, I would, maybe you could get away with it. But in this case, the, it was around 2020, the manufacturer had something in the firmware that allowed SMS commands to be sent to a watch.
And the watch would respond back, uh, without any prompting or indication that it responded back. And some of the actions that these researchers found were, I don't know, kind of terrifying as a parent.
Adrian Sanabria
The names in the code were very sus, as the kids say.
Jon Bundy
Yeah. So some of them, they tested the remote snapshot, which would take a picture from the watch and send it to some IP address. Remotely.
Automatically, you know, you've received the SMS, take the picture, send it. No questions asked. And this is being worn by a child.
Right. The other ones included like wiretap and, uh, sending location, no legitimacy.
Adrian Sanabria
Yeah, wiretap, incoming wiretap by callback. I, I don't know. Because it's a kid's device.
Uh, the idea, there is a small market here for like purpose-built kids smartphones that only do very, very basic things. You can't install apps on them, but you can, you know, it's, it's got a few people in there that you can call. You can call your parents.
You can call an emergency contact and that's in a watch form factor also where you can make calls from it. Like these watches you're describing, I think were, uh, did have cell radios in them and, uh, at least eSIMs, if not physical SIMs. And again, just the fact that it was in there was terrifying.
Jon Bundy
And so again, you don't need to worry about this particular watch. It was six years ago. It was patched.
You know, it was, it was an honest mistake. We'll call it. Uh, they didn't realize that they left in these developer functions.
They called it wiretap though. Uh, you know, developers always need to wiretap things when they're testing, I guess. So it was really kind of questionable.
The brand, you wouldn't think anything, it's a Norwegian brand. You don't usually think of the Norwegians as something in my personal threat model to watch out from their, for their devices. Um, and they're still selling it.
Adrian Sanabria
But if we're talking about Explorer, it was like white labeled Chinese hardware though, right? And, uh, the maker of the hardware. And this was odd because, uh, Qihoo 360, I've only, uh, associated with antivirus software.
They make any, any malware software. Uh, apparently they started making smartphones back in 2012 and I'm not in a market where they sell them. So I'm completely unaware of this.
This is, I'm catching up. And apparently, yeah, they, they make a watch for kids as well. So well, company putting wiretap or calling functions wiretap in their code is a cybersecurity company, but out of China.
Jon Bundy
Yeah, it's just so bizarre. And, and I guess the point is it's the vendor again, right? You don't know that supply chain.
You really have to look at their reputation, their history. How quickly do they patch or acknowledge security issues? You know, what's their track record for that?
This brand is still around. They sell in the U S right. It could happen.
It can happen again, I guess, is the point is you choose a brand. You have to trust that they're putting in non malicious firmware. And it's sad that we have to make that leap, but you really have to kind of do your research sometime or accept that risk, I guess, is it's your personal risk.
What are you hunting for that great deal? Well, the risk is it might have a persistent backdoor installed by the developer. What's the probability?
I don't know, but it has happened before. It'll happen again. It's just, that's the way it works now.
I think.
Adrian Sanabria
Let's try and give a, a threat score here out of 10. I would give this a three out of 10. Like it's not something I would ordinarily worry about all that much.
I think there are some niche cases. Like if you have a, like you mentioned a no phone zone, if that watch has the same functionality as a phone, then it should probably be included in that. And the, and the folks enforcing that rule you know, probably somebody at a guard gate or something like that should, should be aware that they should be collecting the watch and the phone in, in most enterprise cases, I'm not really worrying about smartwatches.
You know, there, there's a lower hanging fruit that I would be more worried about personally. What, what would you give it?
Jon Bundy
Yeah, I think that's a good takeaway is, is maybe as these approach phone capabilities, you should treat them as a phone and update your security policies. I think that's a big thing to consider is, is maybe if there's no phones allowed, there should be no watches allowed, but as far as risk, I'm going to divide it into two, right? So personal risk, I think is high, right?
Partly because I have very little tolerance for losing my PII. And this, this is a device that's meant to collect a lot of PII, a lot of health information that could be valuable or detrimental to you in the long hand. So, so I feel that's a risk that they enable through their cloud sharing and other things.
I mean, they're, they give a fingerprint, they add to your technical fingerprint, your wireless fingerprint, just by wearing it along with the other devices. So there's some risk there and I've decided how much I'll tolerate. So I think it's a little higher on the personal side for me than a three, you know, maybe a five or six, but on the business side, I agree.
It's, there's easier ways to be a malicious insider or, you know, perform an attack than to use a watch. The main threats I see for a business using a smartwatch would be persistent recording, you know, pretty unobtrusive. It's there on your wrist, possibly cameras is taking pictures of sensitive documents where phones aren't allowed and possibly data exfiltration, which I've used that method before to get around, you know, limits on USB devices.
So it's certainly possible to do that, but you can do all those same things with a phone. So if you have a phone already, that's easier to do.
Adrian Sanabria
I think I've seen watch bands that have like a USB flash drive integrated into the watch band. Right.
Jon Bundy
Sure. And a little pull out like an inspector gadget or.
Adrian Sanabria
Yeah.
Jon Bundy
You just pull that little cable out and connect it.
Adrian Sanabria
Exactly. Exactly. Yeah.
Any recommendations before we wrap up here?
Jon Bundy
Yes. My big recommendation is personally look at your personal risk profile, what your appetite for risk is when you make these decisions, look at the vendors and their reputation and their privacy scores and make sure that aligns with your values. For a business, if you have no phone policies, you should probably add watches to that as well, because they have a lot of the same capabilities.
Adrian Sanabria
Awesome. And with that, we're going to wrap up this episode. Thank you for joining me, John.
This has been great.
Jon Bundy
Thanks. It was my pleasure.
Adrian Sanabria
Big thanks to Bastille for sponsoring this series and you can check out bastille.net/blog for more information on wireless threats. And don't forget to give us a comment. If you do have any threats, any devices, anything you want us to dive into, we'd be happy to do it.
We've got a long list of stuff that we want to check out. So there's a good chance that something you might drop in there is already on that list, but still maybe that helps us prioritize which episodes we make before others. So we'd love to see some comments and hope you found something useful and we'll see you next time.
Anthony Jimenez
Thanks for listening. Thank you to our guests, Adrian Sanabria and John Bundy. Don't forget to like comment and subscribe to CarahCast and be sure to listen to our other discussions.
If you'd like more information on how Bastille can assist your organization, please visit www.carahsoft.com or email us at Bastille at carahsoft.com. Thanks again for listening and have a great day.