Digital Forensics Incident Response, Purdue, Technology

Pebble Data Acquisition

by  •  • 0 Comments

Abstract

Wearable technology is the buzz word in the tech world these days.  There has always been a push towards smaller, cheaper computing power.  Processor have gotten so small that we are starting to put them in different locations all around our body.  The mobile phone now contains as much computing power as many laptops.  Wearable technology is growing fast; and gaining ever more uses and functionality.  One popular wearable product is the Pebble Smartwatch.  Pebble Technology Inc. has created a wrist watch that connects to Android and iOS mobile phones.  This device is especially interesting because it comes with a Standard Development Kit and Application Programming Interface for app development and customization.  This means a customer can write their own watch and mobile applications for their wrist watch.  The Pebble is a very small computer, and like most computers, contains useful information.  This paper takes a look at a few techniques for acquiring data from these very small computers.

Steps of the Process

Device Tested

IMAG0335[1]

IMAG0332[1]

The subject for this analysis is a first generation Pebble Smartwatch.  The test device contained the firmware version 1.14.1 and model number: 301BL.  The device has seen normal usage for approximately 8 months.  In that time, it has been connected to a first generation HTC One smartphone.

The HTC One is an android device and has gone through a few operating system updates since connecting with the pebble smartwatch, but at the time of testing the Android OS was version 4.3 Jelly Bean.  To communicate a pebble watch, the mobile device must have the official Pebble application installed.  The HTC One had a mobile app installation of version 2.0 BETA.

The pebble smartwatch runs its own operating system: Pebble OS.  Pebble OS is a customized version of the open source operating system FreeRTOS.  RTOS stands for real time operating system.

Acquisition Attempts

Physical Examination & Research

IMAG0334[1]IMAG0333[1]

The device contains seven inputs: four buttons (3 located on one side of the device and 1 located on the other), magnetic power connection, ambient light sensor and a 3d accelerometer.  Its one output is a 1 bit, 144 x 168 pixel, e-ink display.  The device has somewhere between 64 and 128 KB of random access memory, and 1024 KB of storage space.  Pebble Technology equipped the watch with the latest Bluetooth, version 4.0 (a.k.a. low-energy).  The watch is compatible with Android and iOS platforms.

When interacting with the device it was found that the three buttons located on the same side manipulate the device’s user interface in a manner that is: “up” (the top button), “select” (the middle button) and “down” (the bottom button).  The single button located on the other side of the device can be thought of as the “back” button.  This is not a forensically sound method for acquiring evidence, as interacting with the device changes its state, but it is useful for circumstances requiring quick decisions.

The watch sleeps its screen, showing the time, but also updates it periodically.  When shaken a led backlight is activated; the same behavior occurs when a button is pressed.  At the home screen, selecting the “back” button does not return a response. Selecting either up or down buttons will cycle through watchface displays.  Pushing the “select” button will display an application menu.

At the application menu, the “back” button will display the previous screen, “up” and “down” will move and highlight different menu items and the “select” button will launch the highlighted application.  From this menu, data can be acquired about the use of the device.  The watch is packaged with four pre-installed applications: Music, Alarms, Watchfaces and Settings.  When connected to the original device, the Music app allowed for a song library to be examined.  The application also started up displaying the most recent song played.  The Alarms application displayed all alarm times created, active and inactive; as well as an option for a snooze delay.  The Watchface application displayed a menu of all watchface apps loaded onto the device.  The defaults were: Text Watch, Classic Analog and Simplicity.  The final, menu item was Settings.  Settings contained seven items, two of which were useful submenus: “Bluetooth” and “About”.   The Bluetooth submenu displayed a status: on or off, and a list of all devices that had been paired with and the current connection.  The device used in this study displayed the mobile phone it was connected to, “HTC One,” and the computer it had been previously connected to “ubuntu-0.”  This is useful information for pointing an investigator in the direction of finding multiple devices containing information.  When selecting the “About” submenu, the device displayed the Bluetooth address, firmware and recovery versions, bootloader, hardware, serial number, uptime and status of a feature called “App Logging.”   App Logging allows a developer to code messages into an application for debugging purposes.  If this feature is enabled it is possible that the user of the device was writing a custom application.  A custom application loaded onto the device would be displayed in the main menu of the device; but a suspicious person could delete the app and forget to change the app log setting.

Hcitool

Hcitool is a Linux command line tool used to configure Bluetooth connections and to send special commands to Bluetooth devices.  This acquisition attempt aimed to logically image the device, at the very least pulls as many files/packages possible.  In order to use this tool, the device was paired with an Ubuntu machine and a connection established.  Connecting the device was a little tricky.  The watch is automatically undiscoverable.  To activate discoverable mode, the user has to simply visit the Bluetooth menu in Settings.  Then, there is only a short window of time to either acquire a Bluetooth address with an hcitool scan command.  After scanning, I acquired the Bluetooth address for the pebble device: 00:17:EC:50:FC:11.  Next, I used ­hcitool cc 00:17:EC:50:FC:11 to create a connection with the device.  To acquire some basic information about the device, I used hcitool info 00:17:EC:50:FC:11.  This command printed the device name and Bluetooth features.  An image of the output can be seen below.

IMAG0319[1]

Lastly, the hcitool con command displayed information about the state of the connection with the device.  Unfortunately any other command was met with an error command “unable to perform operation.”  After much searching, I could not find a solution to this, much less anyone who has had the same problem.  There was no other step to take with this acquisition attempt.

Pebble SDK

The final technique attempted in this study was the Pebble SDK.  The pebble sdk is free software package and can be downloaded from developer.getpebble.com.  Registration is required prior to download, but it is minimal.  The pebble sdk comes equipped with functions to load applications onto the device.  These functions are similar to that of libpebble, but communication with the pebble device is established through an intermediate mobile device.  Therefore, the mobile device in this study had the Android Pebble application installed (version 2.0).  Inside application developer settings, “Enable Developer Connection” must be checked to use the pebble command line tool.  This tool also required that the mobile device and workstation be connected to the same wireless network.  When the pebble was connected with the mobile device, the home screen of the pebble mobile application displayed the IP address of the mobile device.  In a command line interface, SDK commands are inputted in a format like pebble install –phone 192.168.1.42.  This command can be used to install a pebble application to the watch.  In this study list, logs, screenshot and repl were commands of interest.  The list command displayed all of the installed application on the watch. Logs displayed log real-time log data from the watch.  Screenshot commanded the watch to capture an image of its own screen.  Repl opened an interactive python shell. Below are images of the results of these commands.

IMAG0348

This image shows the results of the logging command. Each “Got system message …” was the result of an event taking place in the watch.  All events were triggered by a button pressed that also changed the user interface.

IMAG0352

Above is a demonstration of the ping command.  The watchface showed that the ping was received.  Another thing I wanted to demonstrate is that some of the commands work and some don’t.  The pebble screenshot function timed out, and provided an error asking if the device was connected.  Immediately after the timeout, I ran another ping command to test if the watch was still connected.  The ping was successfully received by the watch.  The cause of this problem is unexplained.

IMAG0349

IMAG0350

The top image shows the results of running the repl command followed by the help() command.  The second image displays a list of the python keywords available in the repl.

The image below shows different repl topics.

IMAG0351

This attempt unfortunately did not yield any information that wasn’t already acquired from the device.

libpebble

Another acquisition option used was a library of scripts called libpebble.  These scripts are located on GitHub and are free for public download, github.com/pebble/libpebble.  Libpebble is a library of functions for a direct connection with a pebble device.  Functionality includes sending information to the device or changing its state.  Most information that can be gathered with libpebble can be gathered through previous techniques. The library also provides the ability to open a python repl (read evaluate print loop) application.  Repl’s allow a developer to run lines of code much like they would enter a command into a command line interface. libpebble is a sweet of functions very much like the Pebble SDK.  The major difference is that the commands are sent directly to the Pebble watch instead of being relayed through the mobile device.  This acquisition attempt yielded the same results as the Pebble SDK.

Android Apps

Mobile applications were another avenue taken in this study.  There are a number of applications on the market, but “Bluetooth File Transfer” was the most appropriate with the highest user rating.  With a connected watch set to discoverable mode I ran this application.

Screenshot_2014-03-12-16-02-36

The image above is a screenshot of an error when the application tried to connect with the pebble watch.  The application tried to set up a file-sharing connection with the pebble watch.  At the very top of the screenshot is a notification bar.  In the notification bar the icon to the furthest left is a pebble status icon.  The icon signifies that the mobile phone and pebble watch were connected; that same icon with an “x” overtop would indicate that the devices were not connected.  To ensure that there were no hindrances, I disconnected and unpaired the devices, put the watch in “discovery” mode and re-ran the application, only to receive the same error.  From this information, I can conclude that the pebble smartwatch does not have any active/open OBEX functionality.  OBEX (OBject EXchange) is a communication protocol for the exchange of binary objects between devices.  OBEX is a part of Bluetooth.  This acquisition attempt did not acquire any data, but it does rule out any other attempt that would use OBEX to acquire data.

Issues or Problems

The biggest problem I had in this study was the inability to control a reliable wireless connection.  Any attempt to gain information was met with an error; errors that were unexplainable and no easily accessible solutions.  It is my speculation that pebble’s Bluetooth communication features are much different than a typical Bluetooth device.  Pebble Inc. has either locked down or completely removed Bluetooth features that could be helpful for data acquisition.  Because of the sensitivity of the data sent to the smartwatch(texts and emails), it is likely that Bluetooth functionality was limited for security purposes.

Learning Possibilities

Ubertooth

Ubertooth is a project focused on wireless development and Bluetooth experimentation.  Project Ubertooth allows an individual a resource to build and modify a Bluetooth usb dongle.  Ubertooth also provides open source software and firmware that can be edited for specific needs and goals.  It is a somewhat large and complicated project to build and program a dongle, but the benefits are may be worth the effort.  Ubertooth is an all channel Bluetooth sniffer.  Further investigation in this technology could provide low-level packet information, and a means to acquire data from the pebble.

Mobile App Development

There is an opportunity for the development of a mobile application that can acquire pebble data.  Pebble provides api documentation for an individual to write a mobile application to acquire an image of a pebble.  Pebble is an interesting product because it also allows the customer to develop watch apps.  A developer with FreeRTOS experience, C programming skills, Java (or C# for iOS devices) programming skills and a solid understanding of Bluetooth would be a great candidate for this project.  A custom pebble application working in tandem with a custom mobile application may be the solution to this problem.

Conclusion

This study of the Pebble Smartwatch was not able to acquire any physical or logical image of the device.  This study explored the basic acquisition techniques for a device like this.  This research has laid the groundwork for further work on these devices.  Coincidentally, at the completion of this analysis, Pebble Technology released version 2.0.14 of its mobile application.  This newer version may include patches to the pebble sdk or an updated communication protocol between the watch and the mobile device.  The Pebble Smartwatch is a very intricate piece of technology, with limited information about its inner workings; this device requires much more attention and research.

Leave a Reply