A new study on the Internet of Things with focus on smartwatches released by HP revealed that of 10 smartwatches that were tested, all contain significant vulnerabilities and are a “risk that goes beyond the device”.
So what exactly are we talking about? According to the study (PDF) “the results of the research were disappointing, but not surprising.” There are deficiencies when it comes to authentication and authorization, privacy concerns, and problems with the implementation of SSL/TSL.
Their key takeaways are as following:
- “Data collected initially on the watch and passed through to an application is often sent to multiple backend destinations (often including third parties)
- Watches that include cloud interfaces often employed weak password schemes, making them more susceptible to attack
- Watch communications are trivially intercepted in 90% of cases
- Seventy percent of watch firmware was transmitted without encryption
- Fifty percent of tested devices offered the ability to implement a screen lock (PIN or Pattern), which could hinder access if lost or stolen
- Smartwatches that included a mobile application with authentication allowed unrestricted account enumeration
- The combination of account enumeration, weak passwords, and lack of account lockout means 30% of watches and their applications were vulnerable to Account Harvesting, allowing attackers to guess login credentials and gain access to user account”
So yes, it’s basically the same cycle as with most of the ‘newer’ tech gadgets. They get released, there is a big hype, but security becomes only important after lots and lots of reports on hacks, vulnerabilities, and the inevitable bad press. Think nothing of it guys, everything is just the way it always was …