HP Fortify has discovered that a full 100% of tested smartwatches exhibit security flaws. As part of an ongoing series looking at Internet of Things (IoT) security, HP today unveiled results of an assessment confirming that smartwatches with network and communication functionality represent a new and open frontier for cyberattack.
As they become more mainstream, smartwatches will increasingly store more sensitive information such as health data, and through connectivity with mobile apps may soon enable physical access functions including unlocking cars and homes.
“Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” said Jeffrey Neo, Regional Director, Southeast Asia, HP Enterprise Security Products. “As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.”
The study*, conducted by HP Fortify, questions whether smartwatches should store and protect sensitive data. HP leveraged HP Fortify on Demand to assess 10 smartwatches, along with their Android and iOS cloud and mobile application components, uncovering numerous security concerns**:
Insufficient user authentication/authorisation
Every smartwatch tested made it easy for third parties to gain access. For example, the watches did not support two-factor authentication, such as using a PIN from a separate device, and did not lock out accounts after three to five failed password attempts.
Lack of strong transport encryption
Data was sent in scrambled form as it is moved in the cloud, preventing it from being read easily, but 40% of the connections are open to attack.
Thirty percent of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30% also exhibited account enumeration concerns with their mobile applications. Account enumeration refers to the practice of telling a user that the account name is correct but the password is wrong, allowing a list of valid user names to be harvested, and of confirming that an email address for resetting passwords is valid.
Seven in 10 of the smartwatches were found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files.
All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern.
As manufacturers work to incorporate necessary security measures into smartwatches, consumers are urged to consider security when choosing to use a smartwatch. It is recommended that users do not enable sensitive access control functions such as car or home access unless strong authorisation is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorised access to data. These security measures are not only important to protecting personal data, but are critical as smartwatches are introduced to the workplace and connected to corporate networks.
Additional guidelines for secure smartwatch use are in the full report
*Conducted by HP Fortify, the HP Smartwatch Security Study used the HP Fortify on Demand IoT testing methodology which combined manual testing along with the use of automated tools. Devices and their components were assessed based on the OWASP Internet of Things Top 10 and the specific vulnerabilities associated with each top 10 category.
All data and percentages for this study were drawn from the 10 smartwatches tested during this study. While there are certainly a fair number of smartwatch devices already on the market, and that number continues to grow, HP believes the similarity in results of the 10 smartwatches provides a good indicator of the current security posture of smartwatch devices.
**HP Internet of Things Security Report: Smartwatches, HP, July 2015