Smartwatches contain a range of security flaws, raising fresh concerns about wearable devices gathering and sharing big data and personal information across the Internet of Things (IoT), according to new research from Hewlett-Packard Co.
After testing 10 major smartwatch brands,
The five most common issues,
1. Insufficient User Authentication/Authorization: Three of the 10 watches were vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration, HP said.
2. Lack of transport encryption: All of the test products implemented transport encryption using SSL/TLS, but four of the 10 cloud connections are vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2, HP asserted.
3. Insecure Interfaces: Three of the 10 tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30 percent also exhibited account enumeration concerns with their mobile applications. This vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms, HP said.
4. Insecure Software/Firmware: Seven of the 10 smartwatches could suffer from firmware security issues, including transmitting firmware updates without encryption and without encrypting the update files. However, many updates were signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed, HP noted.
5. Privacy Concerns: All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern, HP said.
Bigger Picture
The report emerges as Apple Watch begins to attract a range of interest from such vertical markets as healthcare, financial services and insurance. For example,
Without commenting directly about the HP report, Apple continues to update its
Meanwhile, some Android smartwatch makers are focusing heavily on security to differentiate from rivals.
Although the wearable market remains in its infancy, security risks could spread as