harmful code on the device. Fortunately, the code that is being run on the Pebble
is compiled C code, which allows a programmer to access some parts of memory
that the API doesn’t provide access to by using “invalid” pointers that allow the
user to dump various parts of memory.
The Pebble only allows one Watchapp at a time to run, though up to eight
Watchapps can be loaded onto the Pebble. The Pebble uses the UUID to distin-
guish between Watchapps. Additionally, the watch has a limited amount persistant
storage, accessed per Watchapp as a key-value store. Both the loaded Watchapps
and the persistant memory are stored in the Flash Memory of the Pebble Watch.
One attack that we discovered is to fake the UUID of a Watchapp to be the
UUID of another Watchapp that uses persistant storage (Figure 1). This is fairly
easy, since Watchapps have a json manifest that lists the UUID in string form.
Then, when the malicious app is installed, it causes the previous app to be unloaded
from the Pebble Watch. However, the persistant storage is not cleared by this,
unlike normal Watchapp unloading. Thus, the new app has access to the older
app’s storage data. However, there is no authentication that the apps have the
same author or are even similar in nature. In practice, the user would notice
one of their watchapps being deleted for no apparent reason, especially since this
requires the user to install the malicious app. This would allow malicious access to
a targetted watchapp’s storage based on the UUID. Although the key value store
is based on a 32 bit key, this could also be extracted from the targetted Watchapp.
6