Smartwatches with network and communication functionality, like the Apple Watch, clearly represent a new and open frontier for cyber-attack: HP Fortify has in fact found that 100% of the smartwatches that it tested contain significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.
Smartwatches are the tip of the spear for the Internet of Things (IoT) incursion, billed as handy gadgets to keep track of calendars, check mails, and use for apps ranging from pedometers to heart monitoring.
As their adoption continues and the innovation of the developer ecosystem finds better and better uses for them, smartwatches will increasingly store more sensitive information such as health data, and through connectivity with mobile apps may soon enable physical access functions including unlocking cars and homes.
Then there’s the corporate dimension.
“A key trend over the next year will be a surge in the number of wearable devices entering the work environment as employees use them for convenience, productivity and even as part of their job role,” said Darin Welfare, VP EMEA at WinMagic, in an email. “This means that more and more devices are being connected to the enterprise network, which causes a unique threat to businesses. Whilst a breach of these devices can be hugely inconvenient for an individual, the consequences of a hack happening with the device connected to the company network could be catastrophic for a business.”
But smartwatches are not primarily designed to store and protect the sensitive data and tasks for which they are built. HP leveraged HP Fortify on Demand to assess 10 smartwatches, along with their Android and iOS cloud and mobile application components, uncovering numerous security concerns.
First and foremost there are authentication issues. Every smartwatch tested was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after three to five failed password attempts—which should be table stakes for any smart device.
And overall, three of the 10, 30%, were vulnerable to account harvesting, meaning an attacker could gain access to the device and its data via a combination of weak password policy, lack of account lockout and user enumeration.
HP also uncovered a lack of transport encryption: Transport encryption is critical given that personal information is being moved to multiple locations in the cloud. While 100% of the test products implemented transport encryption using SSL/TLS, 40% of the cloud connections continue to be vulnerable to the POODLE attack, allow the use of weak cyphers or still-used SSL v2.
Also, 30% of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30% also exhibited account enumeration concerns with their mobile applications. This vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
Also, a full 70% of the smartwatches were found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files. However, many updates were signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.
And finally, HP found big privacy concerns. All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern.
“It’s recommended that users do not enable sensitive access control functions such as car or home access unless strong authorization is offered,” HP noted. “In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data. These security measures are not only important to protecting personal data, but are critical as smartwatches are introduced to the workplace and connected to corporate networks.”
Welfare said that IT departments must start planning for the growing use of wearable devices on the company network, and as such, should start implementing security protocols that will limit the risk from these devices.
“This starts with education on the veracity of passwords and ideally would include full encryption of all devices on the company network,” he said. “To better secure these devices, manufacturers should look at encryption at the hardware level, which will ensure that any data mined from the device is unusable. IT teams should be starting these conversations today so they are not blindsided tomorrow.”