Smartwatches, A Key Target For Hackers

by CXOtoday News Desk    Jul 27, 2015


Smartwatches  are opening up a new frontier for cyber attackers, believe researchers. A study published by HP identified major vulnerabilities in the top smartwatch brands. The study revealed flaws in the cloud-based systems smartwatches use to store data, a lack of sufficient user authentication and data that is open to exploitation by hackers.

The report comes at a time when the smartphone market is growing rapidly. Last year, nearly 6.8 million smartwatches were sold worldwide, with Samsung leading the way, as per report from the Smartwatch Group. However, the release of the Apple Watch has seen a dramatic increase in adoption. Apple now holds 75 percent of the smartwatch market and shipped four million devices during the second quarter of 2015 alone.

It has been estimated that almost 350 million wearable devices will be in use worldwide by 2018, as per CCS Insight’s latest global wearables forecast.

In such a scenario, the HP study aims at alerting vendors about the flaws though it cannot disclose the watches it tested, said Daniel Miessler, practice principal at HP. He also examined the security around the Web interfaces and mobile apps that accompany smartwatches and allow a person to access the device as well as how data gathered by watch apps is protected and used.

The study found vulnerabilities with each of the watches and raised concerns over user authentication methods, data encryption and data privacy, among other issues.

Only half of the watches HP tested let users lock the device’s screen, potentially allowing a stranger to access their sensitive information if the wearable was lost or stolen. Smartwatch sensors collect health data, including heart beats, and the devices store personal details including the person’s name, address and date of birth. Some of the watches that lack the ability to lock a screen could be paired with a smartphone other than the owner’s, giving an attacker access to the wearable’s data.

When it came to encrypting data that’s sent to the cloud, most smartwatches failed, said the study. While the wearables used SSL and TLS security protocols to encrypt information, some relied on SSL 2.0, an older version of the protocol that’s known to have security flaws. 

In some cases, vendors prioritize getting smartwatches on the market over security so measures like data encryption are overlooked. Others don’t realize the dangers of transmitting data in clear text form, Miessler said, questioning if there’s enough transparency around how data collected by watch apps is used. For example, some of the places where smartwatch data ended up include advertising and analytics networks.

HP said 70 percent of the watches processed firmware updates. Those devices were sent unencrypted updates, and while they were signed to prevent malicious files from being uploaded, this didn’t prevent them from being downloaded and viewed by others. Consumers may not realize they need to be aware of security issues around mobile apps and Web interfaces used to access smartwatches, Miessler said. “It’s not just a smartwatch. It’s the ecosystem around it,” he said.

“As manufacturers work to incorporate necessary security measures into smartwatches, consumers are urged to consider security when choosing to use a smartwatch. It’s recommended that users do not enable sensitive access control functions such as car or home access unless strong authorization is offered.

“In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data. These security measures are not only important to protecting personal data, but are critical as smartwatches are introduced to the workplace and connected to corporate networks,” HP said.