Security Alarms Sounding with Smartwatches

Friday, July 24, 2015 @ 05:07 PM gHale

Smartwatches are the new technology starting to capture the attention of users across the globe, however, there is a caveat: They are a security nightmare.

Every single smartwatch tested contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns, said researchers at HP.

Average DDoS Attack Size on Rise
Confidence, Fear Co-Exist in Security
Cyber Incidents Down; Reporting Declines
Insider Attacks Rise, Unaware of Risk

As the IoT market advances, smartwatches are growing in popularity for their convenience and capabilities. As they become more mainstream, smartwatches will increasingly store more sensitive information such as health data, and through connectivity with mobile apps may soon enable physical access functions including unlocking cars and homes.

The HP study questions whether smartwatches should store and protect the sensitive data and tasks. HP leveraged HP Fortify on Demand to assess 10 smartwatches, along with their Android and iOS cloud and mobile application components, uncovering numerous security concerns.

In the report HP provides actionable recommendations for secure smartwatch development and use, both at home and in the workplace.

The most common and easily addressable security issues reported include:
1. Insufficient user authentication/authorization: Every smartwatch tested ended up paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts. Three in ten were vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.
2. Lack of transport encryption: Transport encryption is critical given that personal information is moving to multiple locations in the cloud. While 100 percent of the test products implemented transport encryption using SSL/TLS, 40 percent of the cloud connections remain vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
3. Insecure interfaces: Thirty percent of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30 percent also exhibited account enumeration concerns with their mobile applications. This vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
4. Insecure software/firmware: There were concerns that 70 percent of the smartwatches in terms of protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files. However, updates ended up signed to help prevent the installation of contaminated firmware. While malicious updates cannot install, lack of encryption allows the files to end up downloaded and analyzed.
5. Privacy concerns: All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern.

As manufacturers work to incorporate necessary security measures into smartwatches, consumers should consider security when choosing to use a smartwatch. Users should not enable sensitive access control functions such as car or home access unless there is strong authorization.

Click here for more information on the report.