The smartwatch revolution is near, and sales of these hot new wearable are sure to be strong for back to school. However, a new report is raising serious security concerns about that little computer on your wrist.
The Apple Watch has generated new interest in the smart watch and the wearables market, so the security researchers at HP Fortify evaluated 10 of the top Android and iOS (read, the Apple Watch) smartwatches on the market from the perspective of an attacker. And the results weren’t pretty.
Examining the management capabilities, mobile and cloud interfaces, network posture and other elements of the smartwatches that could be exposed to attack, the researchers found significant vulnerabilities in every device tested. HP researchers called the results disappointing, but not surprising.
“We continue to see deficiencies in the areas of authentication and authorization along with insecure connections to cloud and mobile interfaces,” said the report. “Privacy concerns are magnified as more and more personal information is collected. Issues with the configuration and implementation of SSL/TLS that could weaken data security were also present.”
For the study, HP’s researchers looked at 10 popular smartwatches, their paired mobile device and corresponding application. Common use cases included activity and health monitoring, messaging, scheduling and email, and all functions required the mobile device to get the information to the smartwatch – therefore, the security of both devices was relevant.
Taking a closer look at the applications and the relationship between the devices, researchers found issues around privacy, account harvesting, and firmware updates happening in the clear, and one watch had a DNS service opening it up to a DNS amplification attack.
Researchers found weak password schemes for watches with a cloud interface, 90 per cent of watch communications were easily intercepted, 70 per cent of firmware was transmitted without encryption, half of devices had no screen lock to make it harder to access if lost or stolen, and devices with a mobile app requiring authentication had no limits on account enumeration – so combined with simple short passwords, a hacker could easily guess their way into the app. All in all, HP said 30 per cent of smartwatches tested were vulnerable to account harvesting.
HP has five recommendations for smartwatch users, particularly those in the line of business that may use the devices in a work context, when it comes to security.
- Don’t enable sensitive access control functions such as car or home access without strong authentication being offered.
- If there is a passcode functionality, use it.
- Turn on all security functionality such as passcodes, screen locks, encryption and two-factor authentication, if available.
- Use a strong password for any related mobile or cloud applications.
- Don’t approve any pairing requests you aren’t sure are coming from you.
“Despite their currently limited footprint, smartwatches will likely replace smartphones as a convenient way to control communication and manage daily tasks,” said the report, noting that as adoption increases we will begin to use them for more sensitive tasks. “As this activity increases, the watch platform will become vastly more attractive to those who would abuse that access, and scrutiny will increase.”