Tag Archives: Smartwatch Security

Is your smartwatch stealing your passwords?


A computer science student has demonstrated that software running on a smartwatch could be used to record a user’s passwords and PINs.


Unless you eschew modern technology altogether (such as reading websites), chances are that data on you is being collected. Smartphones are capable enough data sponges, but smartwatches have the potential to extend this reach even further. According to Tony Beltramelli’s master’s thesis for the IT University of Copenhagen, the sensors on the Sony SmartWatch 3 (and likely many other present and future watches) are so accurate that they can be used to sense what button you press on a 12-segment keypad with “above-average” precision.

hackingwatchimage

As seen in the video below, it appears that this ability comes from the user actually moving their hand from button to button. The wearable’s built-in accelerometer and gyroscope can sense these motions and then feed that information into a recurrent neural network. Using a deep learning algorithm, Beltramelli is able to sift through all the “noisy data” and detect patterns for various events, such as when the user moves and taps their finger on a touchscreen to unlock a PIN-protected phone or when the user enters a code on an ATM’s keypad.

Interestingly, as reported in section 6.3 of the thesis, the device did a better job of “touchlogging” — recording virtual keystrokes on a touchscreen — at 73% acuracy, versus “keylogging” — where a physical keyboard is used for input — at 59% accuracy. The touchscreen used was larger in this experiment than the keypad, apparently leading to this discrepancy.

“By their very nature of being wearable, these devices, however, provide a new pervasive attack surface threatening users privacy, among others,” Beltramelli explains. “The goal of this work is to raise awareness about the potential risks related to motion sensors built-in wearable devices and to demonstrate abuse opportunities leveraged by advanced neural network architectures.”

As you can imagine, there are still a few limitations that make this type of approach with a smartwatch impractical as an attack against specific targets. For starters, it only works if the person is using the arm that the gadget is on. So, if you have a watch and are concerned about spying, you can simply strap it onto your less dominant wrist. Or alternatively, you could make a habit of typing with three fingers on numeric keypads.

Report: 100% of tested smartwatches exhibit security flaws


HP report finds a majority of smartwatches to have insufficient authentication, lack of encryption and privacy concerns.


While wearable technology continues to increase in popularity, it appears that embedded security may have been left behind. That is according to new research conducted by HP, which discovered serious vulnerabilities in a vast majority of today’s most popular wrist-adorned timekeeping devices.

Wathc

Without question, the wearables space has experienced tremendous growth over the last couple of months, with analysts now projecting the space to surge upwards of 150 million units by 2019. However, as smartwatches like the Apple Watch, the Motorola Moto 360 and the Samsung Gear become mainstream, malicious hackers have found a new entry point for consumers’ most valuable and confidential data.

For its “Smartwatch Security Study,” HP combined manual testing along with the use of digital tools and its HP Fortify on Demand methodology to evaluate 10 of what they believe to be today’s “top” gadgets. The team found many of the devices to be susceptible because they simply lacked basic, industry standard security measures. While the results may be disappointing, they are not too surprising given the latest string of hacks and breaches.

“Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” explained Jason Schmitt, general manager of HP Security, Fortify. “As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.”

Topping the list of flaws included insufficient verification, lack of encryption, insecure web interfaces and other privacy concerns. Not only did every tested unit lack a two-factor authentication process and the ability to lock out accounts after three to five failed password attempts, but the company flagged as many as 30% of the wearables to be vulnerable to account harvesting, a technique where an attacker could gain access to the device and data using a combination of weak password policy, lack of account lockout and user enumeration.

Security_Touch_SS_83000362

Additionally, researchers uncovered that the devices demonstrated a lack of transport encryption protocols. While each of them implemented encryption using SSL/TLS, 40% of the watches remained defenseless to known vulnerabilities such as POODLE, allowed the use of weak cyphers or still used SSL v2.

30% of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate study, three in 10 exhibited account enumeration concerns with their mobile applications as well. This flaw enables hackers to identify valid user accounts through feedback received from reset password mechanisms.

Making matters worse, 7 out of 10 gadgets analyzed are said to have problems with firmware updates. Researchers revealed that most of the smartwatches did not receive encrypted firmware updates, and while a number of updates were signed to help prevent malicious code or contaminated updates from being installed, a lack of encryption did allow files to be downloaded and looked at elsewhere.

If that all wasn’t scary enough, HP says the wearables demonstrate a risk to personal security and privacy ranging from names, addresses and date of births to weight, gender and heart rate information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal data is surely a concern.

“As manufacturers work to incorporate necessary security measures into smartwatches, consumers are urged to consider security when choosing to use a smartwatch. It’s recommended that users do not enable sensitive access control functions such as car or home access unless strong authorization is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data,” HP concludes.

Want to delve a bit deeper? Be sure to check out HP’s entire report, as well as explore ways to embed hardware-based security into future wearable designs.