An HP study of smartwatches has found that 100 per cent of the smartwatches tested contained “significant vulnerabilities”.Smartwatches may be becoming an increasingly popular choice for consumers, however the HP study warns that security should be a foremost consideration, confirming that “smartwatches with network and communication functionality represent a new and open frontier for cyberattack”.
HP leveraged HP Fortify on Demand in assessing 10 smartwatches, along with their Android and iOS cloud and mobile application components, uncovering “numerous security concerns”.
The study found that 100 per cent of the tested smartwatches contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.
Every smartwatch tested was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts, with 30 per cent vulnerable to account harvesting, meaning an attacker “could gain access to the device and data via a combination of weak password policy, lack of account lockout and user enumeration”.
The study also found that, while 100 per cent of the test products implemented transport encryption using SSL/TLS, 40 per cent of the cloud connections continue to be vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
Thirty per cent of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns, while in a separate test, 30 per cent also exhibited account enumeration concerns with their mobile applications.
Seventy per cent of the smartwatches were found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files, while, with all the smartwatches collecting some form of personal information, HP noted privacy is a concern.
“Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” Jason Schmitt, general manager, HP Security, Fortify, commented.
“As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.”
