HP report finds a majority of smartwatches to have insufficient authentication, lack of encryption and privacy concerns.
While wearable technology continues to increase in popularity, it appears that embedded security may have been left behind. That is according to new research conducted by HP, which discovered serious vulnerabilities in a vast majority of today’s most popular wrist-adorned timekeeping devices.
Without question, the wearables space has experienced tremendous growth over the last couple of months, with analysts now projecting the space to surge upwards of 150 million units by 2019. However, as smartwatches like the Apple Watch, the Motorola Moto 360 and the Samsung Gear become mainstream, malicious hackers have found a new entry point for consumers’ most valuable and confidential data.
For its “Smartwatch Security Study,” HP combined manual testing along with the use of digital tools and its HP Fortify on Demand methodology to evaluate 10 of what they believe to be today’s “top” gadgets. The team found many of the devices to be susceptible because they simply lacked basic, industry standard security measures. While the results may be disappointing, they are not too surprising given the latest string of hacks and breaches.
“Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” explained Jason Schmitt, general manager of HP Security, Fortify. “As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.”
Topping the list of flaws included insufficient verification, lack of encryption, insecure web interfaces and other privacy concerns. Not only did every tested unit lack a two-factor authentication process and the ability to lock out accounts after three to five failed password attempts, but the company flagged as many as 30% of the wearables to be vulnerable to account harvesting, a technique where an attacker could gain access to the device and data using a combination of weak password policy, lack of account lockout and user enumeration.
Additionally, researchers uncovered that the devices demonstrated a lack of transport encryption protocols. While each of them implemented encryption using SSL/TLS, 40% of the watches remained defenseless to known vulnerabilities such as POODLE, allowed the use of weak cyphers or still used SSL v2.
30% of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate study, three in 10 exhibited account enumeration concerns with their mobile applications as well. This flaw enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
Making matters worse, 7 out of 10 gadgets analyzed are said to have problems with firmware updates. Researchers revealed that most of the smartwatches did not receive encrypted firmware updates, and while a number of updates were signed to help prevent malicious code or contaminated updates from being installed, a lack of encryption did allow files to be downloaded and looked at elsewhere.
If that all wasn’t scary enough, HP says the wearables demonstrate a risk to personal security and privacy ranging from names, addresses and date of births to weight, gender and heart rate information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal data is surely a concern.
“As manufacturers work to incorporate necessary security measures into smartwatches, consumers are urged to consider security when choosing to use a smartwatch. It’s recommended that users do not enable sensitive access control functions such as car or home access unless strong authorization is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data,” HP concludes.
Want to delve a bit deeper? Be sure to check out HP’s entire report, as well as explore ways to embed hardware-based security into future wearable designs.
Atmel | Bits & Pieces 