- A-over-C protocol uses the same vulnerable cryptography
as iMessage.
- uses other privitives that leave the payload data entirely unauthenticated
> the security weaknesses we found stemmed from proprietary protocol extensions and
nonstandard cryptography
Conclusion
> Our work on WatchWitch shows that true interoperability between
the Apple Watch and third-party Android devices is feasible despite
prior contrary claims: We have reimplemented several essential
smartwatch features on Android, including push notifications, Inter-
net sharing, and health data synchronization. We have also shown
that we can achieve this level of interoperability while maintaining
security—employing the same cryptographic protocols and storing
keys and data with comparable hardware-backed security.
Going beyond interoperability, we have seen how opening the
Apple Watch ecosystem to open-source implementations can bene-
fit users by offering better privacy, more complete access to data,
and even entirely new features such as a fine-grained firewall.
Our research makes the security and privacy properties of the
Apple Watch visible and presents a way towards autonomy and
independence, allowing users to use their devices on their own
terms and beyond the manufacturer’s intentions. We look forward
to seeing researchers, tinkerers, and manufacturers build upon our
work—be it in terms of alternative software, hardware, or entirely
new applications
nabla9•6mo ago
- insecure IKEv2 Extensions
- A-over-C protocol uses the same vulnerable cryptography as iMessage.
- uses other privitives that leave the payload data entirely unauthenticated
> the security weaknesses we found stemmed from proprietary protocol extensions and nonstandard cryptography
Conclusion
> Our work on WatchWitch shows that true interoperability between the Apple Watch and third-party Android devices is feasible despite prior contrary claims: We have reimplemented several essential smartwatch features on Android, including push notifications, Inter- net sharing, and health data synchronization. We have also shown that we can achieve this level of interoperability while maintaining security—employing the same cryptographic protocols and storing keys and data with comparable hardware-backed security. Going beyond interoperability, we have seen how opening the Apple Watch ecosystem to open-source implementations can bene- fit users by offering better privacy, more complete access to data, and even entirely new features such as a fine-grained firewall. Our research makes the security and privacy properties of the Apple Watch visible and presents a way towards autonomy and independence, allowing users to use their devices on their own terms and beyond the manufacturer’s intentions. We look forward to seeing researchers, tinkerers, and manufacturers build upon our work—be it in terms of alternative software, hardware, or entirely new applications