Smartwatches the latest in wearable technology and although have been out for a number of years their popularity has exploded since Apple released their Apple Watch in April 2015.
But the one question that people don’t think about asking is, how safe is it? After all it’s designed to be used in a connected world, where you download and install various apps and integrate with other devices.
HP thought about this and have recently released a report warning people that just about every single smartwatch is vulnerable to some type of cyberattack one way or another.
The HP study
HP’s study focuses on the top 10 smartwatches that are available today (July 2015) and look into their security features which include the use of basic data encryption, password protection and any privacy issues that may be exposed.
This sounds great until you start reading the report, which reports that their findings show that every single smartwatch that they tested was found to have failed in at least one area.
Every smartwatch found to fail in at least one area
The security performing the testing found that a shocking 100 percent of the smartwatches contained at least one security vulnerability that could make the device vulnerable to malicious attackers.
Although it’s still early in the evolution of smartwatches you would have thought that people would have learnt from the recent security issues that have cropped up in the last few years. However the manufactures are not paying enough attention to the security of the devices and instead are concentrating on making the devices look good for the consumer.
Jason Schmitt, general manager at HP’s security fortify said: “As the adoption of Smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting Smartwatches into corporate networks”
Issues reported by HP
Here is a list of issues that has been reported by HP:
- Insecure Interfaces – It was reported that three out of the 10 tested smartwatches used cloud-based web interfaces, all of these were vulnerable to account harvesting. This vulnerability allows for a malicious person to try and log into the account an unlimited amount of times, otherwise known as a brute force attack.
- Privacy Concerns – The smartwatches also demonstrated a risk to personal security as well as their privacy. All the tested smartwatches collected personal information in one form or another, this could include username, address, date of birth, gender, heart rate, weight and other health information depending upon the manufacturer.
- Lack of transport encryption – It was found that all of the products implemented transport encryption using SSL/TLS, 40 percent of devices found to be either vulnerable to the POODLE attack, allowing the use of weak cyphers, or still using SSL v2.
- Insufficient User Authentication/Authorisation – It was found that three out of ten smartwatches failed to offer Two-Factor authentication, or the ability to lock accounts after 3 to 5 failed password attempts.
- Insecure Software/Firmware – It was found that seven out of the ten smartwatches had issues with the applying of firmware updates. The smartwatches, often did not receive firmware updates via encrypted means (transferred via HTTPS for example), but many updates were signed to help prevent malicious firmware updates from being installed.
- HP’s security experts said that they would not disclose the names of the smartphone manufacturers which they tested, however they were currently working with them to help build better security controls.
So what is the conclusion after this report? Although you shouldn’t be put off from buying a smartwatch you should ensure that you limit the amount of personal information you have linked to the device and ensure its updated to the latest version of software/firmware.