The Pebble Prism Ultra smartwatch is subject to complete unauthenticated compromise by attackers in Bluetooth range due to a total lack of authentication and authorization in its communication protocol.

This vulnerability involves a complete absence of authentication and authorization mechanisms in the Bluetooth Low Energy (BLE) protocol. An unauthenticated attacker in physical proximity (adjacent) can reverse engineer the protocol to execute arbitrary commands, intercept cleartext data, and perform unauthorized firmware hijacking via Over-the-Air (OTA) services.

The CVSS score of 9.6 reflects the extreme risk to user privacy and device integrity. An attacker can steal sensitive personal data or turn the device into a tool for further surveillance. For enterprises issuing these devices, this represents a significant data breach risk and a total loss of trust in the device's security posture.

Immediate Action: Users should update the device firmware to a version that implements BLE pairing and encryption immediately.

Proactive Monitoring: Users should be wary of unexpected pairing requests or unusual device behavior when in public spaces.

Compensating Controls: Disable Bluetooth on the device when not in use and avoid connecting the device to corporate assets until a patch is verified.

Public Exploit Available: false

The absence of authentication in a modern BLE device is a critical failure. We recommend that organizations suspend the use of affected Pebble Prism Ultra devices for sensitive operations until the vendor provides a firmware update that enforces encrypted and authenticated communication.