HP Report on Smartwatch Security

The new HP report into smartwatch security is well worth a quick read. It succinctly describes a series of tests performed by HP, to assess the security of 10 smartwatches currently on the market, along with the mobile phones which they are paired with. Here are four key findings from the report.

1. Most watches suffered from insecure firmware updates.

Seventy percent were found to have concerns with protection of firmware updates including transmitting firmware updates without encryption and without encrypting the update files.

2. Three watches required only weak authentication/authorization.

Three smartwatches included both a cloud-based web interface and mobile interface which failed to require passwords of sufficient complexity and length. Two of the three smartwatches required only an eight character numeric password while the other only required an eight character alphanumeric password. All three systems also lacked the ability to lock out accounts after 3-5 failed attempts.

3. Half the watches lacked basics mechanisms to protect personal data, if the watch was stolen.

Only 50% of tested smartwatches offered the ability to enforce a screen lock, either by PIN or by Pattern, to help protect user data in the event the watch was lost or stolen. Two of the watches that had no PIN or Pattern screen lock protection could be paired with an attacker’s smartphone (without un-pairing from the owner’s device) allowing all existing watch data to be synced to an attacker’s smartwatch account.

4. Data may be sent to too many backend destinations.

The number of places that data are being sent during the standard use of a given application increases the number of access points. Whether using a health application, financial, or even gaming application, HP was able to intercept and detect the sensitive data being routed to multiple locations on the Internet.

This is often legitimate traffic destined for the authorized backend server, but in many cases the number of destinations is substantial, and it is worth questioning whether that many destinations are fully transparent to all parties involved, including the vendor who created the application and the consumer who will use it.

To learn more, download HP’s report from here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.