20.5k unique visitors in the last 3 days

HP Report on Smartwatch Security

Hewlett-Packard's research into IoT security includes a new study that criticizes networked smartwatches.

The new HP report into smartwatch security is well worth a quick read. It succinctly describes a series of tests performed by HP, to assess the security of 10 smartwatches currently on the market, along with the mobile phones which they are paired with. Here are four key findings from the report.

1. Most watches suffered from insecure firmware updates.

Seventy percent were found to have concerns with protection of firmware updates including transmitting firmware updates without encryption and without encrypting the update files.

2. Three watches required only weak authentication/authorization.

Three smartwatches included both a cloud-based web interface and mobile interface which failed to require passwords of sufficient complexity and length. Two of the three smartwatches required only an eight character numeric password while the other only required an eight character alphanumeric password. All three systems also lacked the ability to lock out accounts after 3-5 failed attempts.

3. Half the watches lacked basics mechanisms to protect personal data, if the watch was stolen.

Only 50% of tested smartwatches offered the ability to enforce a screen lock, either by PIN or by Pattern, to help protect user data in the event the watch was lost or stolen. Two of the watches that had no PIN or Pattern screen lock protection could be paired with an attacker’s smartphone (without un-pairing from the owner’s device) allowing all existing watch data to be synced to an attacker’s smartwatch account.

4. Data may be sent to too many backend destinations.

The number of places that data are being sent during the standard use of a given application increases the number of access points. Whether using a health application, financial, or even gaming application, HP was able to intercept and detect the sensitive data being routed to multiple locations on the Internet.

This is often legitimate traffic destined for the authorized backend server, but in many cases the number of destinations is substantial, and it is worth questioning whether that many destinations are fully transparent to all parties involved, including the vendor who created the application and the consumer who will use it.

To learn more, download HP’s report from here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email