Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

All Smartwatches Vulnerable to Attack: HP Study

HP this week shared the results of a security assessment revealing that virtually all smartwatches with network and communication functionality are vulnerable to cyberattacks.

HP this week shared the results of a security assessment revealing that virtually all smartwatches with network and communication functionality are vulnerable to cyberattacks.

The study, conducted by HP Fortify, found that 100 percent of the tested smartwatches contain significant vulnerabilities, including poor authentication, lack of encryption and privacy issues.

HP said that it evaluated 10 of the top smartwatches currently on the market, along with their Android and iOS apps, from an attacker’s perspective.

Smartwatch Security VulnerabilitiesTo conduct the assessment, HP used its Fortify on Demand IoT testing methodology, which combined manual testing along with the use of automated tools. Devices and their components were assessed based on the OWASP Internet of Things Top 10 and the specific vulnerabilities associated with each top 10 category, HP said.

The results were not surprising to HP researchers, and it shouldn’t be surprising to any security professional.


The most common security issues reported by HP include:

Insufficient User Authentication/Authorization: Every smartwatch tested was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts. Three in ten, 30 percent, were vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.

Lack of transport encryption: Transport encryption is critical given that personal information is being moved to multiple locations in the cloud. While 100 percent of the test products implemented transport encryption using SSL/TLS, 40 percent of the cloud connections continue to be vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.

Advertisement. Scroll to continue reading.

Insecure Interfaces: Thirty percent of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30 percent also exhibited account enumeration concerns with their mobile applications. This vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.

Insecure Software/Firmware: A full 70 percent of the smartwatches were found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files. However, many updates were signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.

Privacy Concerns: All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern.

HP did not release the specific smartwatches or manufacturer for models tested, but did say they notified the smartwatch makers.

“HP’s practice is to notify the affected companies and provide them with an opportunity to address the security issues uncovered by our testing,” an HP spokesperson told SecurityWeek.

“Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” said Jason Schmitt, general manager, HP Security, Fortify. “As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.”

“HP’s SmartWatch Security Study found that that smartwatches showed a lack of transport encryption protocols. While every device implemented encryption using SSL/TLS, 40 percent of devices continued to be vulnerable to known vulnerabilities such as POODLE, or still used SSL v2,” Kevin Bocek, Vice President of Security Strategy for Venafi, told SecurityWeek.

“The Internet of Things (IoT) will continue to be a frequent target for cybercriminals as its prevalence in the market increases. Security, however, appears to be an afterthought when it comes to Internet enabled devices such as Smartwatches,” Bocek said.

HP recommended that smartwatch users hold off on using sensitive access control functions such as car or home access unless strong authorization is offered. Additionally, HP said enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data.

Additional guidelines for secure smartwatch use are outlined in the full report: “HP Internet of Things Security Report: Smartwatches,” HP, July 2015 

Related Reading: The Second War of Independence: Wearables vs. Security

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.