5 Security Concerns for Your Smart Watch
Smart watch technology revolutionized wearables and the watch industry in 2015. Still, HP doesn’t think you should use your smart watch for all of its coolest features. Their new study, after all, identifies vulnerabilities in 10 of the world’s top smart watch brands.
Flaws in the cloud-based systems used by smart watches to store data have raised concerns about smart watch use in general. HP’s findings certainly clarify that many of the most popular smart watches are vulnerable due to user authentication and data storage insufficiencies.
Approximately 6.8 million smart watches were sold in 2014. Apple serves 75 percent of smart watch consumers, having shipped four million devices during the second quarter of 2015. The most recent installment in their series investigating Internet of Things (IoT) security, HP’s new study found that 100 percent of smart watches they tested “contain significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.”
Already for many, smart watches store sensitive information about them. Alongside ongoing connectivity to the web and mobile apps that can unlock cars and homes, it is clear that a great temptation for exploitation exists. HP’s study shows this is possible.
“Smart watches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” said Jason Schmitt, general manager, HP Security, Fortify.
As the adoption of smart watches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smart watches into corporate networks.
HP outlines five main areas for concern. Many of the technologies HP recommends smart watch manufacturers adopt, to be sure, are not used en masse by technology users. So, even if some of the security protocols were offered on smart watches, it is not clear if users would use them. The five main smart watch concerns outlined in the HP studies are as follows:
- Two-factor authentication: All of the smart watches tested by HP featured a mobile interface without two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts. A good example of two-factor authorization is when you use a cash machine. In order to retrieve money, you will need both the correct PIN and the correct card. Three of the smart watches were susceptible to account harvesting, when an attacker gains access through a combination of weak passwords, no account lockouts and user enumeration and, ultimately, the process of elimination. Clues from all over the internet are used for account harvesting: in chat rooms, domain name records, instant messaging, message boards, news groups and all sorts of web-based applications.
- Encryption: Each of the smart watches tested by HP utilized transport encryption using SSL/TLS. Despite this, forty percent of the smart watches’ cloud connections were vulnerable to POODLE attack. This man-in-the-middle attack (short for “Padding Oracle On Downgraded Legacy Encryption”) exploits Internet and security software clients’ fallback to SSL 3.0.
- Insecure interface: Thirty percent of the smart watches were on a cloud-based web interface. All exhibited a lack of account enumeration. 30 percent suffered from the same vulnerabilities on their mobile applications. Thus, attackers could spot up-to-date user accounts by testing reset password apps.
- Poor firmware updates: 70 percent of the smart watches fail to adequately secure firmware updates. Ultimately, without encryption files, the smart watches remain vulnerable to data analysis.
- Sensitive data may be insecure: Smart watches are cool because they incorporate various aspects of your daily life. But, in order to do this, smart watches must also collect personal information, like your name, address, birthdate, and payment information. With health applications, things like weight, gender and heart rate are even included. Because some of the applications, at least, are vulnerable on smart watches, all of them are vulnerable, and HP thinks this should be on the minds of smart watch users.
Of course, smart watch manufacturers will improve the security of their products over time. HP recommends leaving alone for now ultra sensitive features like control to cars or homes, at least on most of the current models.
“These security measures are not only important to protecting personal data, but are critical as smart watches are introduced to the workplace and connected to corporate networks.”
Read the full report here.
Featured image from Ken Wolter / Shutterstock.