As part of an ongoing series looking at Internet of Things (IoT) security, HP today unveiled results of an assessment confirming that smartwatches with network and communication functionality represent a new and open frontier for cyberattack.
The study conducted by HP Fortify found that all of the smartwatches tested contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.
HP said in a report that, as smartwatches become more mainstream, these will increasingly store more sensitive information such as health data, and through connectivity with mobile apps may soon enable physical access functions including unlocking cars and homes.
HP leveraged HP Fortify on Demand to assess 10 smartwatches, along with their Android and iOS cloud and mobile application components, uncovering numerous security concerns.
The most common and easily addressable security issues reported include, first, insufficient user authentication/authorization. Three in 10 were vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.
Second was lack of transport encryption, with 40% of the cloud connections continue to be vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
Third was insecure interfaces, with 30% exhibiting account enumeration concerns with their mobile applications. This vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
Fourth was insecure software/firmware, with 70% of the smartwatches found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files.
And fifth was privacy concerns, with all smartwatches collecting some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern.