Bad Smart Watch Authentication
35 comments
·February 9, 2025cogman10
GJim
> who cares
I hear this a lot.
Yet those same people suddenly do care when their personal information (or that of their wife/girlfriend/child) ends up all over the internet.
cogman10
The extent of the personal data is what you put on the watch.
Anonymous heart rate data simply isn't interesting to anyone. You won't find any dark net health statistics.
microtherion
ApplePay is a major use case for my Apple Watches. Don't Android watches use the Google equivalent, however that is branded at the moment?
Another use case is using the watch to unlock other devices. That also seems security sensitive.
And some people may be uncomfortable about the health data that could be extracted from such a watch.
cogman10
> I'd only suggest that if the watch supports putting a credit card on it that you rethink doing that.
I'm not giving these watches a ringing endorsement. I wouldn't buy or wear one.
I'm just saying the authentication system isn't super dire.
asynchronousx
Great writeup, didn’t expect “bad authentication” to actually be zero authentication, that’s absurd.
throitallaway
I get a little nervous about my Pixel watch. None of those watches have been updated since November and there are likely some juicy CVEs hanging out on them.
PostOnce
"My watch is a security risk and my refrigerator uses 3 gigabytes of data a day."
"I can't access my todo list because azure is down"
We should go back to analog. We're wasting our time.
mightysashiman
now if one could do some reverse engineering on Garmin watches and enable an opensource alternative to Garmin Connect, that would be marvellous.
rft
Garmin watches are partially supported by Gadgetbridge [1]. I have not used it, but it seems to at least support basic data for many Garmin watches.
ulf-77723
What‘s wrong with Connect from your perspective? My only concern with it is that it’s slow
cge
One problem with it is it requires a constant network connection for everything, which is baffling for software designed for devices where major intended uses involve being in situations with poor or no network connection.
barbazoo
Do you need Connect to use the device though? I was under the impression Connect is used for sync.
m463
I would love to be able to update firmware on my garmin watch, but I think that's all tied up in connect (which I don't use) somehow.
arijun
I wish there was a concept of paid expert reviews on Amazon/everywhere. A general review system works well (ignoring review gaming) when your concern is "Does this shirt fit?" or "What's the build quality?", but fails when one expert review of "This device is fundamentally unsound," gets drowned out by reviews on the more easily testable aspects ("The band is really comfortable!").
A great example would be when Benson Leung was testing USB-C cables on Amazon to see which were standards compliant.
michaelt
I considered doing this once, a few years ago, but I couldn't figure out a way to make it work.
It's pretty frustrating that when you're shopping for a laptop, nobody can tell you it'll suspend properly under Linux. Or when you're shopping for a bike light nobody can tell you whether over the summer it'll self-discharge to the point it bricks itself due to cell imbalance. Or when you're shopping for a microsd card, nobody can tell you.... you get the picture.
But to produce honest reviews, I couldn't accept free review units, kickbacks or affiliate money. And people shopping for laptops and bike lights don't need a $$$-per-month subscription to my newsletter/channel/patreon, they just need a few yes-or-no answers.
And there's a huge amount of churn in products on sites like Amazon; you wouldn't just pay for 40 bike lights, review them all, and solve the problem forever. Different models and brands appear all the time.
And even then, just because when I reviewed that microsd card and found it had great performance, nothing stops the manufacturer substituting cheaper components later on, without changing the part number; it's not like there was a specification promising the performance I observed in my review.
mansandersson
I get your point. But ever so often you stumble upon someone actually doing exactly that within their particular interest domain, such as the guy in Netherlands who buys and tests bike lights
https://swhs.home.xs4all.nl/fiets/tests/verlichting/index_en...
ge96
In my experience too when posting a negative review it can get removed (this was about replacement batteries for lenovo laptops).
fph
We need to use Unicode steganography to hide the message "this smartwatch sucks" into an innocent-looking review.
redleader55
Apparently something similar is used by Chinese customers reviewing restaurants. They would make a food sign from food pieces that spells "crap food" in slang, but otherwise leave a stellar review for the restaurant.
scblock
How does this help anyone?
DecentShoes
I had a review removed on Amazon for mentioning that the company bribed me for a fake positive review.
WorldMaker
Find a business model for Consumer Reports that better fits this century and add things that should be obvious like "Search by ASIN" to their website?
ThinkingGuy
TornadoGuard: https://xkcd.com/937/
thrownblown
Project Farm!
pirates
Seconding this, Project Farm absolutely rules. I’m not the target demographic for probably half the stuff he reviews but I’m always impressed with his videos.
That said I’m a little curious if any kind of Gell-Mann effect is going on since he never reviews products that I already have extensive experience with. I’m wondering if anyone has watched any of his reviews and came away feeling like he did a really poor job.
HnUser12
Isn’t amazon vine paid review?
null
Now, I'm not going to say this is great, but honestly it seems pretty close to a "who cares?" situation.
We are talking about a device with no internet connection that can only be accessed by someone in the same proximity to yourself.
Perhaps don't buy this watch if you live in a crowded location and take public transport a lot. For everyone else, seems really unlikely that the people you interact with will have setup a malicious attack for your watch brand. I don't think wardriving smart watches is a thing.
I'd only suggest that if the watch supports putting a credit card on it that you rethink doing that.