iconimage - Fotolia

Smartwatches a new frontier for cyber attack, HP study shows

Ten smartwatches tested by HP Fortify contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns

Smartwatches with network and communication functionality represent a new and open frontier for cyber attack, according to a study by HP Fortify.

The study revealed that 100% of the tested smartwatches contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.

The study report entitled Internet of things security study: Smartwatches makes recommendations for secure smartwatch development and use in home and work environments.

As the internet of things (IoT) market advances and smartwatches become more mainstream, they will increasingly store more sensitive information, such as health data, the report said.

Like smartphones, smartwatches are also soon likely to enable physical access functions including unlocking cars and homes.

"Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities," said Jason Schmitt, general manager, HP Security, Fortify.

"As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks," he said.

The study was aimed at testing whether smartwatches are designed to store and protect the sensitive data and tasks for which they are built.

HP used HP Fortify on Demand to assess 10 smartwatches, along with their Android and iOS cloud and mobile application components, to uncover numerous security concerns.

Security issues

According to the report, there are five common and easily addressable security issues.

Topping the list of concerns is insufficient user authentication and authorisation mechanisms. Nearly a third of the smartwatches tested were vulnerable to account harvesting, meaning an attacker could gain access to the device and data because of weak password policies and a lack of account lock-out mechanisms.

Next, the report highlights the lack of effective transport encryption, which it said is critical considering that personal data is being moved to multiple locations in the cloud.

While all smartwatches tested implemented transport encryption using a secure sockets layer (SSL) protocol or transport layer security (TLS), 40% of the cloud connections were vulnerable to the Poodle vulnerability in SSL 3.0, allowed the use of weak cyphers, or still used SSL 2.0, which has a number of security vulnerabilities. According to the report, watch communications are trivially intercepted in 90% of cases.

Read more about IoT

Insecure interfaces is another common concern, with 30% of the smartwatches tested using cloud-based web interfaces vulnerable to brute force cracking of passwords by enabling hackers to identify valid user accounts through feedback from reset password mechanisms. In a separate test, 30% also exhibited this vulnerability in their mobile applications.

Insecure software or firmware is a big concern, with 70% of the smartwatches tested exhibiting vulnerabilities in this area, including transmitting firmware updates without encryption and without encrypting the update files. However, many updates were signed to help prevent the installation of contaminated firmware.

Finally, all smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. As manufacturers work to incorporate necessary security measures into smartwatches, the report said users are urged to consider security when choosing to use a smartwatch. Data collected initially on the watch and passed through to an application is often sent to multiple back-end destinations, regularly including third parties, the report said.

The report recommends users do not enable sensitive access control functions such as car or home access unless strong authorisation is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorised access to data.

These security measures are not only important to protecting personal data, but are critical as smartwatches are introduced to the workplace and connected to corporate networks, said the report.

In the enterprise, the report said security teams should ensure that TLS implementations are configured and implemented properly, that user accounts and sensitive data are protected by requiring strong passwords, and that controls are implemented to prevent man-in-the-middle attacks.

The report predicts that smartwatches will replace smartphones as a convenient way to control communication and manage daily tasks.

"As this activity accelerates, the watch platform will become vastly more attractive to those who would abuse that access, and scrutiny will increase," the report said.

Read more on Privacy and data protection