Proposed by: Prasanna Venkadesh

Hacking Amazfit Smartwatch

  1. Almost all smartwatches requires an Android/iOS app which are often built and supplied by OEM manufactures. But these are proprietary apps that requires an account on their servers.
  2. These apps are also required to fetch the health vitals & activity data recorded on the watch to our smartphone. Once it is into the smartphone, these apps upload them to their cloud service.
  3. This violates user's privacy and user has no other option but to consent to the app's privacy policy / ToS.
  4. There exists a FOSS android app called "Gadgetbridge" which aims to eliminate the need of such proprietary apps and let the user to process, analyze and store all of their personal data from the watch to stay on their device.
  5. Out of curiosity, I wanted to create a python program to connect to the watch over Bluetooth from laptop and fetch the data.
  6. Since I own a Amazfit smartwatch, I started with this. In this experiment, I was able to fetch some basic info (sw/hw/fw version, battery percentage, current time, serial number) about the device without even pairing and even send a fake call alert to deceive / distract the person wearing a watch.
  7. The objective of the project is to create a library in python to fetch data from the smartwatch allowing users to own and process their data. The project is still in it's infancy and licensed under AGPL v3.
  8. In this talk, I would like to demonstrate how vulnerable Amazfit smartwatches are, would like to highlight privacy concerns, advocate for data ownership.

Source code/Reference:

Talk duration: