Smartwatches aren't so clever when it comes to security
Smartwatches aren't so clever when it comes to security
Smartwatch manufacturers are failing to secure sensitive data on their devices, warned a Trend Micro report.
The IT security firm said that smartwatches running Google's Android Wear and even the Apple Watch are not as secure as they should be.
The research looked at devices from Apple, Samsung, Motorola, LG, Sony, Asus and Pebble to see how they fared when it came to physical and information security.
The devices were updated to the latest operating system for the study and was paired with a related smartphone, such as an iPhone 5, Motorola X or Nexus 5.
Trend Micro said that physical device protection across all smartwatches was found to be poor, with no authentication via passwords or other means being enabled by default.
“This would enable free access if the wearable was stolen. All devices apart from the Apple Watch failed to contain a timeout function, meaning that passwords had to be activated by manually clicking a button,” the report said.
It said the Apple Watch did better than Android or Pebble rivals, but contained the largest volume of sensitive data, so could potentially give away a lot of detail about the owner if stolen.
All the watches on test saved local copies of data, which could be accessed through the watch interface when taken out of range of the paired smartphone.
“This means that anyone who compromised the wearable would have access to this data. All of the devices stored unread notifications, except the Pebble, as well as fitness and calendar data,” said the report.
"Across all of the smartwatches that were tested, it is clear that manufacturers have opted for convenience at the expense of security," said Bharat Mistry, cyber-security consultant at Trend Micro. "On the surface, a lack of authentication features can make devices appear easier to operate, but the risk of having personal and corporate data compromised is much too big of an issue to forget about."
Trend Micro said that manufacturers must ensure that simple security features, such as limited password attempts, are enabled on devices by default.
“This considerably reduces the likelihood of data breaches. Smartwatch manufacturers must be cognisant of the fact they can slash data breaches by employing this best practice,” said Mistry.
Dr. Steven Furnell, senior member of the IEEE, told SC Magazine UK that even though smartwatches are typically companion devices to smartphones, they nonetheless end up storing data in their own right.
“So an unprotected watch could still reveal something business-relevant (schedules, messages, unread notifications etc),” he said.
“The ability to have some level of authentication on the smartwatch is clearly a valuable safeguard. Linked to this theme, the Trend Micro study mentions using the proximity of the smartwatch to act as an authenticator for the smartphone, which I think is a really bad idea,” he added.
“I like the Apple Watch approach, where the watch can be set to lock when taken off the wrist, and where performing an explicit authentication on the phone can unlock it again. However, this does not work the other way around (i.e. the watch cannot unlock the phone), thereby recognising the phone as the primary asset.”
Furnell added that as a baseline, organisations can protect themselves by ensuring that staff are made aware of the safeguards they need to use, and given guidance on how to use them.
Nicko van Someren, chief technology officer at Good Technology, told SC Magazine UK that many users are blindly adding their new watches to mobile devices that hold a wealth of corporate information, creating potential security vulnerability for their employers.
“With native mail and calendar applications sending alerts and notifications to the watch by default, even more devices will have access to corporate information, potentially putting more important data at risk. Industries, particularly those that are highly regulated, need to establish a policy that outlines which users are eligible, which devices can be supported and which mobile applications are acceptable,” he said.
Van Someren added that one way to ensure enterprise data is secure on smartphones, tables and wearable devices is keeping it in separate, encrypted containers. “That can mean managing the flow of alerts to smart devices as well as controlling the flow of data between apps. Clear policy controls will mitigate the security risks that come with these new devices.”
Mark James, security specialist at IT Security Firm ESET said that malware will be a big concern for smartwatches, along with compromised firmware versions and specific targeted attacks directed at the watch itself. “Then tag this with smartwatch specific apps, the security will need to be a very big feature of this desirable hardware. The bad guys will target any new potential market,” he added.
Chris Camejo, director of Threat and Vulnerability Analysis at NTT Com Security, told SC Magazine UK that at this point smartwatches are too new and security researchers haven't torn into them yet. “We don't know how secure their communication protocols are, how much data ends up stored on the watch, how the data is secured within the watch, or if and implementation mistakes have weakened a system that should be more secure than it is,” he said.
Camejo said that Apple's approach to security on the iPhone has had quite a bit of success. The closed platform, “walled garden” app store, rapid closing of jailbreaks and other security vulnerabilities, and overall software design have combined to make iPhones fairly resistant to attacks.
“The Android platform on the other hand is very fragmented and harder to patch consistently, the result is that most mobile malware affect Android but not Apple's iOS. It wouldn't be too far fetched to expect that the trend will continue with the Apple Watch being a more secure but more limiting platform while Android is wide open but exposes more vulnerabilities,” added Camejo.