The new HP report into smartwatch security is well worth a quick read. It succinctly describes a series of tests performed by HP, to assess the security of 10 smartwatches currently on the market, along with the mobile phones which they are paired with. Here are four key findings from the report.
1. Most watches suffered from insecure firmware updates.
Seventy percent were found to have concerns with protection of firmware updates including transmitting firmware updates without encryption and without encrypting the update files.
2. Three watches required only weak authentication/authorization.
Three smartwatches included both a cloud-based web interface and mobile interface which failed to require passwords of sufficient complexity and length. Two of the three smartwatches required only an eight character numeric password while the other only required an eight character alphanumeric password. All three systems also lacked the ability to lock out accounts after 3-5 failed attempts.
3. Half the watches lacked basics mechanisms to protect personal data, if the watch was stolen.
Only 50% of tested smartwatches offered the ability to enforce a screen lock, either by PIN or by Pattern, to help protect user data in the event the watch was lost or stolen. Two of the watches that had no PIN or Pattern screen lock protection could be paired with an attacker’s smartphone (without un-pairing from the owner’s device) allowing all existing watch data to be synced to an attacker’s smartwatch account.
4. Data may be sent to too many backend destinations.
The number of places that data are being sent during the standard use of a given application increases the number of access points. Whether using a health application, financial, or even gaming application, HP was able to intercept and detect the sensitive data being routed to multiple locations on the Internet.
This is often legitimate traffic destined for the authorized backend server, but in many cases the number of destinations is substantial, and it is worth questioning whether that many destinations are fully transparent to all parties involved, including the vendor who created the application and the consumer who will use it.
To learn more, download HP’s report from here.