14 DAY TRIAL // Updating to the latest version of watchOS via a trusted network is the very first thing Apple Watch users should do when receiving the device, lest they are exposed to a man-in-the-middle (MitM) attack that could result in serious damage.
The risks associated with the vulnerability range from losing credentials to online accounts to being served malware that could spread across the network or unwanted web content.
Risk can extend to smartphone and the network
Zimperium Mobile Security discovered that the initial release of the operating system had the ICMP (Internet Control Message Protocol) package redirection capability turned on, allowing someone in the network to divert traffic from the device to arbitrary hosts.
The researchers dubbed the attack “DoubleDirect” and say that it enables a threat actor to intercept communication from both the victim and the gateway.
“‘DoubleDirect,’ is a type of ICMP Redirect ‘Man-in-the-Middle’ attack (MITM) enabling an attacker to redirect a victim’s traffic to the attacker’s device. Once redirected, the attacker can steal credentials and deliver malicious payloads to the victim’s device that can not only quickly infect the device, but also spread throughout a corporate network,” explains Zuk Avraham, CTO at Zimperium, in a blog post.
Vulnerable Apple Watch gadgets (all models running watchOS 1.0) are susceptible to traffic redirection to a system controlled by a third party, who can control everything the victim sees on the device.
The danger is not limited to the wearable alone, as an attacker could use it as an entry point to a larger network or to gain access to the phone it is paired with.
Update not available on fresh devices
Despite the update that addresses the DoubleDirect issue, eliminating the risk completely falls in the hands of the users because out-of-the-box devices do not come with the patch, and switching to the latest version of the operating system is necessary.
Zimperium noticed the DoubleDirect attack in the wild last year on iOS, Android and OS X, used for redirecting mobile connections to Google, Facebook and Twitter to a system under the control of a third party.
[UPDATE]: The article has been modified to reflect the current job position Zuk Avraham holds at Zimperium. He is not the CEO of the company as he moved to the CTO position in October 2014 and also acts as chairman.
At the moment, CEO of Zimperium is Shridhar Mittal, former general manager of the Application Delivery business unit at CA Technologies.