SRK Powertech Pebble Prism Ultra Unauthenticated BLE Command Execution and Data Interception Vulnerability

A vulnerability in the Bluetooth Low Energy (BLE) communication of the SRK Powertech Pebble Prism Ultra smartwatch, specifically in version 2.9.2, allows attackers to exploit the lack of authentication and authorization. This flaw enables the reverse engineering of the BLE protocol, execution of arbitrary commands on the device, interception of cleartext data, and unauthorized firmware manipulation through Over-The-Air (OTA) services. The vulnerability can be exploited from an adjacent Bluetooth range without physical contact with the device.

Impact

Exploitation of this vulnerability allows for unauthorized interception of cleartext notifications, injection of spoofed alerts, and unauthenticated access to the device's firmware update process, potentially leading to unauthorized modifications or bricking the device.

Reproduction

The vulnerability can be reproduced by connecting to the Pebble Prism Ultra smartwatch via BLE. Once connected, arbitrary write requests can be sent to the device's notification characteristic, which is unprotected by encryption or authentication. This can be done using standard BLE tools such as 'gatttool' on Linux. After intercepting cleartext notifications, the same method can be used to inject fake alerts onto the device.

Remediation

Users are advised to disable sensitive notification permissions for the FitPro app and avoid pairing the device in crowded or untrusted public spaces.