2 min read

Smartwatches Are Extremely Vulnerable to Security Threats, Study Shows

Răzvan MUREȘAN

July 21, 2015

Smartwatches Are Extremely Vulnerable to Security Threats, Study Shows

Smartwatches harbor significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns, according to HP’s security assessment.

No smartwatch the company tested had two-step authentication security enabled, while some 30% were vulnerable to account harvesting, with attackers easily gaining access to their operating systems. HP’s Smartwatch Security Study evaluated 10 smartwatches available for sale.

“As manufacturers work to incorporate necessary security measures into smartwatches, consumers are urged to consider security when choosing to use a smartwatch,” the authors of the study say. “It’s recommended that users do not enable sensitive access control functions such as car or home access unless strong authorization is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data. These security measures are not only important to protecting personal data, but are critical as smartwatches are introduced to the workplace and connected to corporate networks.”

Here is a list of the main vulnerabilities affecting smartwatches, according to HP:

Insufficient User Authentication/Authorization: Every smartwatch tested was paired with a mobile interface that lacked two-factor authentication and did not lock out accounts after 3-5 failed attempts to enter the password. Three in 10 were vulnerable to account harvesting, meaning an attacker could access the device and data via a combination of weak password policy, lack of account lockout and user enumeration.

Lack of transport encryption: Transport encryption is critical given that personal information moves to multiple locations in the cloud. While 100 percent of the test products implemented transport encryption using SSL/TLS, 40 percent of the cloud connections were vulnerable to the POODLE attack, allowed the use of weak cyphers or still used SSL v2.

Insecure Interfaces: Thirty percent of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30 percent also exhibited account enumeration concerns with their mobile applications. This vulnerability lets hackers identify valid user accounts through feedback from reset password mechanisms.

Insecure Software/Firmware: A full 70 percent of the smartwatches were found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files. However, many updates were signed to help prevent installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.

Privacy Concerns: All smartwatches collected some personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern.

“Smartwatches have only started to become a part of our lives, but they deliver a new level of functionality and we will increasingly use them for sensitive tasks,” said Jyoti Prakash, country director of India and SAARC countries for HP Enterprise Security Products. “As this activity accelerates, the watch platform will become vastly more attractive to those who would abuse that access, and it’s critical that we take precautions when transmitting personal sensitive data or bringing smartwatches into the workplace.”

A previous study showed that 70 percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities, including password security, encryption and general lack of granular user access permissions.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Google Drops All Support for Android 2.3.7 and Older Google Drops All Support for Android 2.3.7 and Older
Silviu STAHIE

August 04, 2021

1 min read
A Heads-Up on Stalkerware, the Wolf Software in Sheep’s Clothing A Heads-Up on Stalkerware, the Wolf Software in Sheep’s Clothing
Silviu STAHIE

August 03, 2021

4 min read
NSA Releases Guidance on Securing Wireless Devices While in Public NSA Releases Guidance on Securing Wireless Devices While in Public
Filip TRUȚĂ

August 03, 2021

2 min read