About the Speaker

“What if anyone in a café could start talking to your smartwatch – without pairing, without your app, without your consent?"

This talk presents a protocol-level vulnerability class we call Unauthenticated Pre-Pairing GATT Write (UPPGW), found across multiple popular BLE smartwatches in the Indian market. Core GATT characteristics that control the watch’s UI and behaviour accept Write / Write Without Response on completely unauthenticated, unencrypted connections, allowing any attacker in radio range to connect as a generic BLE client and push arbitrary payloads straight into the watch.

Notification spoofing is the most visible demo, but it is only one example. The same primitive enables convincing phishing flows on the wrist, silent command and state abuse, battery-drain denial of service, and raises the risk of memory corruption when parsing is fragile.

We walk through how we actively probed four vendors, how we generalised their individual bugs into a single “UPPGW” pattern, and how to recognise this class purely from the GATT view.
 

Gurjot Singh is a cybersecurity researcher focused on security research across web, mobile, IoT, and connected platforms. His work emphasizes identifying high-impact vulnerabilities arising from logic flaws, authentication and authorization weaknesses, and systemic design issues that are often missed by conventional testing approaches. He has conducted security research and assessments on real-world applications, including large-scale consumer platforms and emerging technology systems.

Vipin Venu, a security researcher working across web application and network penetration testing, vulnerability research, and incident response. My work involves performing in-depth security assessments on critical environments, identifying and exploiting high-impact vulnerabilities, and validating real-world attack paths across applications and networks.

I have hands-on experience with network exploitation, traffic analysis, log and disk forensics, and post-incident investigations, along with developing custom Python scripts and security tooling to automate testing, reconnaissance, and analysis workflows. I actively analyze misconfigurations, insecure authentication and authorization flows, and common web and network attack vectors, with a growing focus on offensive security techniques, malware analysis, and adversary simulation.

Arjun V is a seasoned cyber security professional with extensive experience in enterprise VAPT, incident response, and security strategy. He currently serves as the Head of Security Audits and Incident Response at InnSpark Solutions, where he oversees enterprise-level penetration testing, incident handling, and the development of resilient security frameworks.

His career spans roles in security research, penetration testing, and advanced threat analysis. He has contributed to the development of security tools, led high-profile incident investigations, and conducted comprehensive security audits for major clients. His earlier work includes managing large-scale security assessments, coordinating national cybersecurity competitions, and conducting awareness programs for students and professionals.

Beyond his core roles, he has been recognized by global technology companies through bug bounty acknowledgments and Hall of Fame listings for responsible vulnerability disclosures, and has delivered cybersecurity training sessions for various government and educational institutions.

He brings deep technical expertise, a strong offensive-defensive security background, and a commitment to advancing cybersecurity practices across organizations.