CVE-2025-69969
Unauthenticated BLE Command Execution and Firmware Hijack in Pebble Prism Ultra
Publication date: 2026-03-04
Last updated on: 2026-03-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pebblepower | pebble_prism_ultra_firmware | to 2.5.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-311 | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-69969 is a critical security vulnerability in the Bluetooth Low Energy (BLE) implementation of the Pebble Prism Ultra smartwatch by SRK Powertech Pvt Ltd and other devices using a shared SDK. The vulnerability arises from a lack of proper authentication and encryption mechanisms in the BLE protocol, specifically using the "Just Works" pairing method which provides no man-in-the-middle protection or encryption.'}, {'type': 'paragraph', 'content': 'This flaw allows attackers within Bluetooth range to intercept sensitive data such as SMS, caller ID, and app notifications transmitted in cleartext, and to inject arbitrary commands or spoofed alerts onto the device without establishing a secure connection. Additionally, attackers can hijack the device firmware via unauthenticated over-the-air (OTA) update services, enabling malicious firmware installation.'}, {'type': 'paragraph', 'content': 'The vulnerability exploits weaknesses like missing encryption (CWE-311), cleartext transmission of sensitive information (CWE-319), and missing authentication for critical functions (CWE-306), making it possible to compromise confidentiality, integrity, and availability of the device.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts on users of affected devices:
- Confidentiality: Attackers can passively sniff and intercept sensitive personal data such as SMS messages, caller identities, and two-factor authentication codes transmitted in cleartext over BLE.
- Integrity: Attackers can inject fraudulent notifications or alerts onto the device, potentially enabling social engineering attacks like fake emergency alerts or false two-factor authentication prompts.
- Availability: The vulnerability allows unauthenticated firmware hijacking via OTA updates, which can lead to device malfunction, denial of service, or permanent compromise by installing malicious firmware.
- Supply Chain Risk: Since the vulnerability stems from a shared SDK used by over 30 manufacturers, a wide range of devices are at risk, broadening the potential attack surface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by analyzing Bluetooth Low Energy (BLE) traffic for unencrypted notification data and unauthorized write requests to the device's GATT characteristics."}, {'type': 'paragraph', 'content': 'One practical approach is to capture HCI Snoop Logs or BLE traffic using tools like Wireshark to inspect packets for cleartext notification data such as SMS, caller ID, or app alerts transmitted in UTF-16LE encoding.'}, {'type': 'paragraph', 'content': 'Additionally, using Linux BLE tools such as gatttool, you can attempt to connect to the device and send write requests to the primary service UUID 0000fee7-0000-1000-8000-00805f9b34fb to test if arbitrary commands or spoofed notifications can be injected without authentication.'}, {'type': 'list_item', 'content': 'Use Wireshark to capture and analyze BLE traffic for unencrypted notification packets.'}, {'type': 'list_item', 'content': 'Run the command: `sudo btmon` or capture HCI logs on Linux to monitor BLE communication.'}, {'type': 'list_item', 'content': "Use `gatttool` to connect and interact with the device's GATT characteristics, for example: `gatttool -b <device_mac> -I` then `connect` and `char-write-req` commands to test write access."}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling sensitive notification permissions in the companion app and avoiding pairing or using the device in untrusted or high-density Bluetooth environments.
Users should also avoid exposing the device to unknown Bluetooth devices within proximity to reduce the risk of unauthorized access or firmware hijacking.
From a vendor perspective, enforcing BLE Security Mode 1, Level 3 (Authenticated Pairing/Bonding) and implementing cryptographic signature verification for OTA firmware updates are critical to fully mitigate the vulnerability.
- Disable sensitive notification permissions in the FitPro or Pebble Prism Ultra companion app.
- Avoid pairing or using the device in untrusted or crowded Bluetooth environments.
- Request or apply firmware updates from the vendor that enforce authenticated pairing and secure OTA updates once available.