Smartwatches harbor significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns, according to HP’s security assessment.
No smartwatch the company tested had two-step authentication security enabled, while some 30% were vulnerable to account harvesting, with attackers easily gaining access to their operating systems. HP’s Smartwatch Security Study evaluated 10 smartwatches available for sale.
“As manufacturers work to incorporate necessary security measures into smartwatches, consumers are urged to consider security when choosing to use a smartwatch,” the authors of the study say. “It’s recommended that users do not enable sensitive access control functions such as car or home access unless strong authorization is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data. These security measures are not only important to protecting personal data, but are critical as smartwatches are introduced to the workplace and connected to corporate networks.”
Here is a list of the main vulnerabilities affecting smartwatches, according to HP:
Insufficient User Authentication/Authorization: Every smartwatch tested was paired with a mobile interface that lacked two-factor authentication and did not lock out accounts after 3-5 failed attempts to enter the password. Three in 10 were vulnerable to account harvesting, meaning an attacker could access the device and data via a combination of weak password policy, lack of account lockout and user enumeration.
Lack of transport encryption: Transport encryption is critical given that personal information moves to multiple locations in the cloud. While 100 percent of the test products implemented transport encryption using SSL/TLS, 40 percent of the cloud connections were vulnerable to the POODLE attack, allowed the use of weak cyphers or still used SSL v2.
Insecure Interfaces: Thirty percent of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30 percent also exhibited account enumeration concerns with their mobile applications. This vulnerability lets hackers identify valid user accounts through feedback from reset password mechanisms.
Insecure Software/Firmware: A full 70 percent of the smartwatches were found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files. However, many updates were signed to help prevent installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.
Privacy Concerns: All smartwatches collected some personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern.
“Smartwatches have only started to become a part of our lives, but they deliver a new level of functionality and we will increasingly use them for sensitive tasks,” said Jyoti Prakash, country director of India and SAARC countries for HP Enterprise Security Products. “As this activity accelerates, the watch platform will become vastly more attractive to those who would abuse that access, and it’s critical that we take precautions when transmitting personal sensitive data or bringing smartwatches into the workplace.”
A previous study showed that 70 percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities, including password security, encryption and general lack of granular user access permissions.