Tech

Smartwatch security fails to impress: Top devices vulnerable to cyberattack

A new study into the security of smartwatches found that 100 percent of popular device models contain severe vulnerabilities.

Written by Charlie Osborne, Contributing Writer July 22, 2015 at 10:25 a.m. PT

A research study conducted by Hewlett-Packard has found serious security issues in today's top smartwatch wearable devices.

Smartwatches are part of the wearable device trend, which extends from medical devices and fitness trackers to acting as an extension of your smartphone.

The Apple Watch and Android Wear are examples of popular wearable devices on the market which can pair with smartphones and allow you to view online notifications, send messages and control apps through either the small display or through voice control.

Wearables can be useful and have grown in popularity with the arrival of the Internet of Things (IoT) concept in the marketplace. However, as smartwatches become mainstream, cybercriminals have been gifted with a new avenue to exploit in the quest to steal valuable data.

Revealed on Wednesday, HP's Smartwatch Security Study suggests that while wearable technology is on the rise, security has been left behind. The tech giant's research team combined manual testing along with the use of digital tools and HP Fortify on Demand -- on both iOS and Android-based smartwatches -- to evaluate a total of 10 of today's "top" devices on the market.

In HP's words, the results were "disappointing, but not surprising." The tech giant found that every one of the ten devices analyzed contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.

HP found insufficient user authentication and authorization to be common issues within smartwatches. Every smartwatch tested was paired with a user interface which lacked two-factor authentication or the ability to lock out accounts after a select number of failed password input attempts. In total, 30 percent of the devices analyzed were vulnerable to account harvesting in one form or another.

The researchers also found that smartwatches demonstrated a lack of transport encryption protocols. While every device implemented encryption using SSL/TLS, 40 percent of devices continue to be vulnerable to known vulnerabilities such as POODLE, or still used SSL v2.

Featured

In total, 30 percent of smartwatches use cloud-based web interfaces, which HP said "exhibited account enumeration concerns." In separate tests, HP said this arrangement enabled hackers to identify valid user accounts through reset password services.

In addition, seven out of 10 devices analyzed were found to have problems with firmware updates. The smartwatches often did not receive encrypted firmware updates, and while a number of updates were signed to help prevent malicious code or contaminated updates from being installed, a lack of encryption did allow files to be downloaded and looked at elsewhere.

Finally, HP says smartwatches demonstrate a risk to personal security and privacy. All the smartwatches analyzed collected some form of personal identifiable information -- and when combined with lax security, you are placing consumers at risk.

"Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities," said Jason Schmitt, general manager of HP Security at Fortify.

"As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks."

While vendors work to boost the security of wearable devices, HP recommends that consumers do not enable sensitive access control functions such as car or home access -- in other words, do not connect your smartwatch to the keys to your kingdom -- unless you have some means of implementing strong authorization measures. In addition, putting standard security measures in place such as a strong password and two-factor authentication can help keep your device and data safe.