Pebble Smartwatch Talk at Virus Bulletin 2016

I just returned from VB 2016 (the Virus Bulletin International Conference) held this year in Denver. My personal favorite talk was on exploiting Pebble smartwatches ("Exploit Millions of Pebble Smartwatches for Fun and Profit" by Zhang and Wei). Our expectations are usually higher in one's own field of expertise, but this one is really great work.

Basically, the authors found an inner assembly routine in Pebble's operating system that allows someone to elevate their privileges. If you are familiar with ROP, this is a privilege elevation gadget. Normally, this routine is called by Pebble OS only when privilege needs to be elevated, and then another routine is called to return to normal privileges. However, actually, nothing prevents a skilled hacker from calling just the privilege elevation gadget... and that's what the authors demonstrated.

Their conclusion is that any device with an ARM Cortex M processor is actually vulnerable to their hack. This is partly true, and partly exaggerated, because there are some other conditions. Let's detail.

The vulnerability is exploitable if

1. The processor is an ARM Cortex M, because they have an MPU that sets higher privileges by just changing a bit. Processors with an MMU for instance are not vulnerable.
2. AND the attacker is able to execute code on the device. For Pebble smartwatches, this is "easy" because applications are developed in C and run on the smartwatch itself. We'll see later, however, that this is not an easy condition to meet in all cases.
3. AND there is a way to elevate the privilege without returning back to normal privilege afterwards. This typically happens if (a) the OS has a bug, or, as the authors found, if (b) a privilege escalation gadget exists.
4. AND in case of (a), the attack is able to trigger the bug, or in the case of (b), the attacker is able to jump to the memory address containing the escalation gadget.

In practice, I have thought the problem over on 3 other connected objects I have personally investigated. Although 2 of them featured a Cortex M processor, as you can see in the table below, in practice it is highly uncertain the vulnerability would affect them. However, it would certainly be interesting to conduct more research on that.