HP warns how all smartwatches are vulnerable to attacks in latest research
Research from HP Fortify on Internet of Things (IoT) security has revealed 100% of smartwatches tested contain “significant” vulnerabilities, including authentication, encryption and privacy concerns.
In particular, every smartwatch tested lacked two factor authentication with its mobile interfaces, alongside the ability to lock accounts after up to five failed password attempts. 30% were vulnerable to account harvesting, while 40% of cloud connections tested were vulnerable to the man-in-the-middle POODLE (Padding Oracle on Downgraded Legacy Encryption) attack.
It gets worse. The majority (70%) of smartwatches tested had concerns with protection of firmware updates, including transmitting firmware updates without encryption, while all smartwatches collected some form of personal information leading to privacy concerns.
HP used HP Fortify on Demand, a managed application security testing service, to assess 10 smartwatches alongside their Android and iOS cloud and mobile application components. As the IoT develops and expands, HP warns these study results show a lackadaisical attitude towards security, where smartwatches could easily be another endpoint to attack.
Jason Schmitt, HP Security Fortify general manager, commented: “Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities.”
He added: “As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.”
Matt White, senior manager for KPMG’s cyber security practice, argues the ‘device pairing’ method of security provides “limited protection” from a serious assailant, and asserts other actors are to blame.
“As is often the case, consumer demand for new and exciting technologies have far surpassed the implementation of security measures,” he said. “As with many security conversations, the level of security is a recipe of convenience, user experience and security.
“It would be a fair assumption that for the average user the general level of awareness [of security] is low, but this begs the question of who should be responsible for the protection of [smartwatches]?” White adds. “Should it be the manufacturer or the user themselves? The answer isn’t clear, but it’s likely that the ‘bad guys’ won’t be waiting for security to catch up with the current advancements.”
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.