Budget smartwatches dominate India's consumer market, yet most ship with a critical design flaw: Their GATT characteristics accept writes on completely unauthenticated, unencrypted connections, allowing any attacker within radio range to send arbitrary payloads to the device. This class of vulnerability - dubbed Unauthenticated Pre-Pairing GATT Write (UPPGW) - stems not from a single CVE but from implementation choices baked into OEM firmware across multiple vendors.

In this session, led by Gurjot Singh, Vipin Venu and Arjun V of Innspark Solutions, you will learn:

• How GATT characteristics and BLE connection architecture enable unauthenticated write access before any pairing or encryption occurs;
• How reverse engineering OEM firmware and payload structures enables an attacker to spoof calls, inject notifications, trigger alarms and reset devices without user consent;
• Why UPPGW constitutes a control plane exposure affecting an estimated 70% of smartwatches in the Indian market, and what secure-by-design implementation looks like.