HP unveiled results of a security assessment confirming that smartwatches with network and communication functionality represent a new and open frontier for cyberattack. The study found that 100 percent of the tested smartwatches contain significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.
As the Internet of Things (IoT) market advances, smartwatches are growing in popularity for their convenience and capabilities. Smartwatches, as they become more mainstream, will increasingly store sensitive information such as health data, and will soon enable physical access functions including unlocking cars and homes.
“Smartwatches have only started to become a part of our lives, but they deliver a new level of functionality and we will increasingly use them for sensitive tasks,” said Jyoti Prakash, Country Director, India and SAARC countries, HP Enterprise Security Products (ESP), “As this activity accelerates, the watch platform will become vastly more attractive to those who would abuse that access, and it’s critical that we take precautions when transmitting personal sensitive data or bringing smartwatches into the workplace.”
The most common and easily addressable security issues reported include:
•Insufficient User Authentication/Authorization: Every smartwatch tested was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts.
•Lack of transport encryption: Transport encryption is critical given that personal information is being moved to multiple locations in the cloud.
•Insecure Interfaces: Thirty percent of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns.
•Insecure Software/Firmware: A full 70 percent of the smartwatches were found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files.
•Privacy Concerns: All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information.
As manufacturers work to incorporate necessary security measures into smartwatches, consumers are urged to consider security when choosing to use a smartwatch. It’s recommended that users do not enable sensitive access control functions such as car or home access unless strong authorization is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data. These security measures are not only important to protecting personal data, but are critical as smartwatches are introduced to the workplace and connected to corporate networks.