HP the Company that acquired the Palm OS operating system and then screwed up the launch of the Palm smartphone running on the now LG owned Web OS, is now claiming that smart watches have significant security flaws.
HP who has not launched a smart watch in Australia and are struggling to market their own brand of smart watch claim that they discovered the flaws after testing 10 devices, they have not nominated whose brand of smartphone they were testing or whether they tested multiple brands.
What is also not known is whether they were testing their own brand of smart watch.
Late last year, HP announced a collaboration with fashion designer Michael Bastian for a new smart watch that they said would appeal to more than just nerds. The watch doesn’t have a touchscreen and instead relies on a black and white LCD for notifications. It doesn’t track your step count or have a microphone for voice commands.
All of them “contain significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns,” the company’s HP Fortify security group said.
The security issues could enable hackers to get unauthorized access to a smart watch’s stored health data and deliver unauthorized access to connected homes and cars, HP warned.
“Smart watches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” said Jason Schmitt, general manager of HP Fortify.
“As the adoption of smart watches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smart watches into corporate networks.” HP recommends that users not enable a smart watch’s car- and home-control functions unless strong authorization is offered.
“In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data,” HP said. HP’s full report outlines guidelines for secure smart-watch use. The most common – and easily addressable – security issues, HP said, include: Insufficient User Authentication/Authorization: Every tested smart watch was paired with a phone interface that lacked two-factor authentication and the ability to lock out accounts after three to five failed password attempts.
Three of the 10 were vulnerable to “account harvesting,” meaning an attacker could access the device and its data via a combination of weak password policy, lack of account lockout, and user enumeration.
The latter vulnerability enables hackers to identify user accounts through feedback received from reset password mechanisms. Lack of transport encryption: All of the tested products implemented transport encryption using SSL/TLS, but 40 percent of the cloud connections were vulnerable to the Poodle attack, allowed the use of weak cyphers, or still used SSL v2. Insecure interfaces: Thirty percent of the tested smart watches used Cloud-based web interfaces, all of which exhibited “account-enumeration concerns.
” In a separate test, 30 percent also exhibited account enumeration concerns with their mobile applications. Insecure software/firmware: A full 70 percent of the smart watches presented concerns with their protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files.
Although many updates were designed to prevent the installation of contaminated firmware, the lack of encryption allows the files to be downloaded and analysed. Privacy concerns: All smart watches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. “Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern,” HP said.