CVE-2024-49731 – This vulnerability allows telemetry opt-in sett... (How to Fix)

📋 TL;DR

This vulnerability allows telemetry opt-in settings corruption on other Pixel Watches when setting up a new watch, potentially enabling local privilege escalation. It affects Pixel Watch users who set up new devices while other watches are present. User interaction is required for exploitation.

💻 Affected Systems

Products:

Google Pixel Watch

Versions: Wear OS versions prior to February 2025 security patch

Operating Systems: Wear OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Pixel Watch devices during new device setup when other watches are present.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with physical access could escalate privileges on a compromised watch, potentially accessing sensitive data or functionality beyond normal user permissions.

🟠

Likely Case

Accidental corruption of telemetry settings on other watches during normal setup, causing privacy configuration issues without malicious intent.

🟢

If Mitigated

With proper access controls and user awareness, impact is limited to telemetry settings corruption without data compromise.

🌐 Internet-Facing: LOW - Requires physical access and user interaction, not remotely exploitable.

🏢 Internal Only: MEDIUM - Physical access to devices in shared environments could allow privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires physical access to a watch and user interaction during setup process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: February 2025 security patch for Wear OS

Vendor Advisory: https://source.android.com/security/bulletin/wear/2025-02-01

Restart Required: No

Instructions:

1. Open Settings on Pixel Watch
2. Navigate to System > System updates
3. Check for and install available updates
4. Ensure February 2025 security patch is installed

🔧 Temporary Workarounds

Isolate watch setup

all

Set up new Pixel Watches in isolation from other watches to prevent telemetry settings corruption

🧯 If You Can't Patch

Physically separate watches during setup procedures
Monitor for unexpected telemetry settings changes on existing watches

🔍 How to Verify

Check if Vulnerable:

Check Wear OS version in Settings > System > About > Versions. If before February 2025 patch, device is vulnerable.

Check Version:

Not applicable - check via watch Settings interface

Verify Fix Applied:

Verify February 2025 security patch is installed in Settings > System > System updates > Last update.

📡 Detection & Monitoring

Log Indicators:

Unexpected telemetry opt-in/opt-out events in system logs
Multiple watch setup events in proximity

Network Indicators:

Unusual telemetry data transmission patterns

SIEM Query:

Not applicable for typical consumer watch deployments

📊 Metadata

CVE ID: CVE-2024-49731

CVSS v3 Score: 4.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.01% exploit probability (0.7th percentile)

Published: September 4, 2025

Last Updated: September 5, 2025

🔗 References

https://source.android.com/security/bulletin/wear/2025-02-01 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49731, you might also want to check these: