Five security steps to take before using your new smartwatch for business

The smartwatch revolution is near, and sales of these hot new wearable are sure to be strong for back to school. However, a new report is raising serious security concerns about that little computer on your wrist.

The Apple Watch has generated new interest in the smart watch and the wearables market, so the security researchers at HP Fortify evaluated 10 of the top Android and iOS (read, the Apple Watch) smartwatches on the market from the perspective of an attacker. And the results weren’t pretty.

Examining the management capabilities, mobile and cloud interfaces, network posture and other elements of the smartwatches that could be exposed to attack, the researchers found significant vulnerabilities in every device tested. HP researchers called the results disappointing, but not surprising.

“We continue to see deficiencies in the areas of authentication and authorization along with insecure connections to cloud and mobile interfaces,” said the report. “Privacy concerns are magnified as more and more personal information is collected. Issues with the configuration and implementation of SSL/TLS that could weaken data security were also present.”

For the study, HP’s researchers looked at 10 popular smartwatches, their paired mobile device and corresponding application. Common use cases included activity and health monitoring, messaging, scheduling and email, and all functions required the mobile device to get the information to the smartwatch – therefore, the security of both devices was relevant.

HP Smartwatch v1

Taking a closer look at the applications and the relationship between the devices, researchers found issues around privacy, account harvesting, and firmware updates happening in the clear, and one watch had a DNS service opening it up to a DNS amplification attack.

Researchers found weak password schemes for watches with a cloud interface, 90 per cent of watch communications were easily intercepted, 70 per cent of firmware was transmitted without encryption, half of devices had no screen lock to make it harder to access if lost or stolen, and devices with a mobile app requiring authentication had no limits on account enumeration – so combined with simple short passwords, a hacker could easily guess their way into the app. All in all, HP said 30 per cent of smartwatches tested were vulnerable to account harvesting.

HP has five recommendations for smartwatch users, particularly those in the line of business that may use the devices in a work context, when it comes to security.

  • Don’t enable sensitive access control functions such as car or home access without strong authentication being offered.
  • If there is a passcode functionality, use it.
  • Turn on all security functionality such as passcodes, screen locks, encryption and two-factor authentication, if available.
  • Use a strong password for any related mobile or cloud applications.
  • Don’t approve any pairing requests you aren’t sure are coming from you.

“Despite their currently limited footprint, smartwatches will likely replace smartphones as a convenient way to control communication and manage daily tasks,” said the report, noting that as adoption increases we will begin to use them for more sensitive tasks. “As this activity increases, the watch platform will become vastly more attractive to those who would abuse that access, and scrutiny will increase.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Jeff Jedras
Jeff Jedras
Jeff Jedras is a technology journalist with IT World Canada and a member of the IT Business team. He began his career in technology journalism in the late 1990s, covering the Ottawa technology sector for Silicon Valley North and the Ottawa Business Journal. He later covered the technology scene in Vancouver before joining IT World Canada in Toronto in 2005, covering enterprise IT for ComputerWorld Canada and the channel for Computer Dealer News. His writing has also appeared in the Vancouver Sun & the Ottawa Citizen.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.