7 Places Smartwatches Are Falling Short On Security
Smart, But Not Secure
Smartwatches are rising in popularity, with Gartner predicting there will be 4.9 billion connected devices by 2015, but a Hewlett-Packard security study shows that they aren't being built with a security-first mindset. The study dug into the security features of 10 of the market's top smartwatch brands (without naming names), and their paired devices and the results were "disappointing, but not surprising." The challenge with the smartwatch market, Daniel Miessler, HP practice principal, said, is that manufacturers and application developers are not taking lessons learned from other markets, such as web, mobile and cloud, and applying best practices to the emerging smartwatch space.
Take a look at some of the places the report found that smartwatches are missing the boat when it comes to security, and some ways businesses can compensate for the shortcomings.
Insufficient Authentication/Authorization
A combination of weak password schemes and a lack of account lockout has left many smartwatches with insufficient authentication and authorization, Miessler said. On top of that, the report also found many of the smartwatches had insecure password-recovery mechanisms and poorly protected credentials. Three smartwatches failed to meet standards of complexity and length for passwords, two requiring only an eight-character numeric password and one an eight-character alphanumeric password. None of those three required account lockout after three to five attempts, which Miessler said left the smartwatch open to brute-force-attack tactics.
Insecure Network Services
Miessler said the HP investigation found that communications between the watch, cloud and mobile devices were easily intercepted in 90 percent of cases as the data moved to multiple back-end systems. With vulnerabilities like that, Miessler said watches open the door for man-in-the-middle attacks and, in general, expand the attack surface across a variety of devices. The review also found that one watch had a functioning DNS server, which allowed for DNS amplification attacks on the network. To help remedy this problem, Miessler recommended enterprises build a segmented network for wearables until security is up to par.
Lack Of Transport Encryption
One "pretty crazy" finding from the HP investigation was that 70 percent of the watch firmware was transmitted without encryption, Miessler said. That leaves an easy open door for hackers to search for sensitive information, he said. On top of that, the report found that 40 percent of cloud connections were vulnerable to known threats such as POODLE, or used weak cyphers or SSL v2.
Privacy Concerns
With most of the watches (more than 70 percent) dealing with health-related and other personal information, privacy concerns are especially important. Given some of the security concerns already mentioned around lack of strong password requirements and transport encryption, the report said that level of sensitive information "is of concern." Beyond just information privacy, Miessler cautioned that as more of the devices move into access-control roles, there could be additional privacy concerns around physical access. By adding access control to the list of privacy concerns, the attack surface "continues to grow," he said. The report recommended users make sure strong, two-factor authentication is used for any access-control applications.
Insecure Cloud Interface
Connections with the cloud and weak password schemes also are causing security concerns for smartwatches, Miessler said. These weak security communications between the watch and cloud web interfaces lead to concerns around account harvesting, he said. In HP's review, 30 percent of the watches had these concerns. Adding to that problem is the fact that half of the smartwatches didn't have automatic locking capabilities, which hands attackers unlimited attempts to access user cloud accounts through the device. The report recommended that users make sure they are using strong passwords for cloud applications.
I nsecure Mobile Interface
All of the smartwatches "piggybacked" on a mobile device using Bluetooth or Wi-Fi technology, Miessler said. Similar to the wearable's challenges with cloud interfaces, the HP report also found that 40 percent of the smartwatches had security concerns with their mobile application interfaces, leaving users open to account harvesting.
"We're seeing a number of issues with smartwatches and IoT where the mobile apps associated with the apps are insecure," Miessler said. "The mobile that it is proxying through then becomes an attack surface as well."
To help remedy this problem, the report recommended enterprises add to vendor-provided apps with their own ecosystem-specific mobile applications for the devices and ensure that strong passwords are used.
Insecure Software/Firmware
With the vast majority (70 percent) of smartwatches not offering encryption for firmware updates, Miessler said there are security concerns around attackers being able to easily search inside of firmware updates for sensitive information. That being said, the report found that many of the updates were signed to protect against contaminated firmware.