Smartwatches have significant vulnerabilities, especially in terms of insufficient authentication, lack of encryption and privacy problems.
Smartwatches have significant vulnerabilities, especially in terms of insufficient authentication, lack of encryption and privacy problems. A study conducted by HP Fortify provides some feasible tips for the development and safe use of smartwatches, both at home and at work.
With the progress of the IoT market, smartwatches are gaining popularity and will contain more and more sensitive information, such as health data, and through connectivity with mobile apps may soon allow physical access functions such as opening car and home locks .
The most common security problems include:
- Insufficient user authorization / authentication: each tested smartwatch is associated with a mobile interface without two-factor authentication and the ability to block accounts after 3-5 failed password entry attempts. Three out of ten turned out to be vulnerable to account harvesting: in practice, an attacker could get access to the device and data through a combination of weak password policy, lack of account lockout and user enumeration.
- Lack of transmission encryption: crucial transmission encryption, as personal information is transferred to multiple locations within the cloud. Although 100% of the tested products implement transmission encryption using SSL / TLS, 40% of cloud connections continue to be vulnerable to the POODLE attack, allow the use of weak ciphers or still use SSL v2.
- Unsafe interfaces: 30% of the tested smartwatches use cloud-based web interfaces, all of which have problems with account enumeration. In a separate test, 30% also revealed problems enumerating accounts in their mobile apps. This vulnerability allows hackers to identify valid user accounts through feedback received from password reset mechanisms.
- Unsafe software / firmware: 70% of smartwatches have security problems related to firmware updates, including the transmission of firmware updates without encryption and the lack of encryption of update files. However, many updates are signed to prevent the installation of contaminated firmware. Although it is not possible to install malicious updates, the lack of encryption allows files to be downloaded and analyzed.
- Privacy issues: all smartwatches collect certain personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the problems of enumerating accounts and using weak passwords on some products, the exposure of this personal information is a cause for concern.
Additional guidelines for the safe use of smartwatches are available in the complete report.