All smartwatches are vulnerable to attack, finds study

All ten smartwatches tested by HP Fortify reported significant security vulnerabilities, along with their Android and iOS cloud and mobile application components, according to a new report.

All smartwatches are vulnerable to attack, finds study
All smartwatches are vulnerable to attack, finds study

The report is seen as a good indicator of the current security posture of smartwatch devices given the similarity of issues raised, such as insufficient authentication, weak encryption and other privacy concerns. Experts have said that they are cause for concern considering these devices will be storing sensitive information like health data.

Jason Schmitt, general manager, HP Security, Fortify, said in an email to journalists:  “As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.”

Darin Welfare, VP EMEA, WinMagic agrees: “Whilst a breach of these devices can be hugely inconvenient for an individual, the consequences of a hack happening with the device connected to the company network could be catastrophic for a business.

“This means that IT departments must start planning for the growing use of wearable devices on the company network, and should start implementing security protocols that will limit the risk from these devices. This starts with education on the veracity of passwords and ideally would include full encryption of all devices on the company network. To better secure these devices, manufacturers should look at encryption at the hardware level, which will ensure that any data mined from the device is unusable. IT teams should be starting these conversations today so they are not blindsided tomorrow.”

HP reports the most common and easily addressable security issues as:

  • Insufficient user authentication/authorisation: Every smartwatch tested was paired with a mobile interface that lacked two-factor authentication (2FA) and the ability to lock out accounts after three to five failed password attempts. 3 in 10 allowed an attacker to access the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.
  • A lack of transport encryption: Deemed critical given that personal information is being moved to multiple locations in the cloud. All products tested implemented transport encryption using SSL/TLS, but 40 percent of the cloud connections continue to be vulnerable to the Poodle attack, allow the use of weak cyphers, or still used SSL v2.
  • Insecure interfaces: 30 percent used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30 percent also exhibited account enumeration concerns with their mobile applications. This vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
  • Insecure software/firmware:  70 percent had concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files, though many updates were signed to help prevent the installation of contaminated firmware. However, lack of encryption allows the files to be downloaded and analysed.
  • Privacy concerns: All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information whose exposure would be a cause for concern.

Kevin Bocek, vice president of security strategy for Venafi, noted how security, appears to be an afterthought on internet enabled devices such as Smartwatches, commenting:

“Anything that connects to the internet needs to be secure in order to protect our data. SSL/TLS keys and certificates form the foundation of trust on the internet, and the prevalence of vulnerabilities and attacks on these have shown us that this problem is not going away.

"There's too much blind trust when it comes to SSL/TLS, and attacks such as Heartbleed and Poodle are becoming far too frequent as the bad guys take advantage of the increase in the number of devices, applications and clouds that depend on the trust provided by keys and certificates. Attackers mask their true identity using keys and certificates and hide their actions by encrypting data which means you can't look inside for threats.

“Recent attacks demonstrate that cyber-criminals are exploiting the vulnerabilities created from unsecured keys and certificates. Bad guys will likely look for the easy target and a device such as a Smartwatch is like waving a red flag to a bull!

Sian John, chief security strategist EMEA, Symantec adds that the results chime with its own study on the Quantified Self which also found that 100 per cent of the wearable activity-tracking devices examined were vulnerable to location tracking. 

She adds: “We also found vulnerabilities in how personal data is stored and managed, including passwords being transmitted in clear text. With more and more consumers adopting wearable tech devices, they need to be aware of the potential risks to security and privacy.”

HP urges consumers to consider security when choosing to use a smartwatch and says that sensitive access control functions such as car or home access should not be enabled unless strong authorisation is offered.

Sian suggests that users of gadgets like these use a screen lock or password, using strong and unique passwords, and be wary of what they share on social media. She warns too of sites or services asking for excessive information, and apps or services not prominently displaying a privacy policy.

The Symantec exec stresses that these policies should be read, that app and OS updates must be done when available, with full-device encryption also highly recommended.

Meanwhile, Bocek concludes by suggesting users know where all their keys and certificates are installed, have detailed information on each key (including owner, algorithm and key lengths, among others) and have recovery plans if keys, certificates or services get compromised.

Sign up to our newsletters