All Smartwatches on the market are vulnerable to attacks

A study conducted by HP’s Fortify on security features implemented by Smartwatches revealed that not even a single device found to be 100 percent safe.

Today we talk about a great passion of mine, watches. Let me tell you that I’m not attracted by Smartwatches, I consider watches and their gears a work of art like a painting.
Having said that, today I’ll present you the disconcerting results of a study conducted by the HP’s Fortify firm on the security of Smartwatches.

According to experts at HP, almost every Smartwatch available on the market is vulnerable to cyber attack , including the popular Apple Watch and Samsung Gear.

The HP Fortify tested security features implemented by 10 of the top smartwatches currently on the market. HP has verified the presence of vulnerabilities listed on the OWASP Internet of Things Top 10, 100 percent of wearable devices contained at least one security issue that open them to cyber attacks.

The most common security issues reported by HP include:

• Insufficient User Authentication/Authorization: Every smartwatch evaluated was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts. Three out of ten smartwatches lacked to implement Two-Factor authentication, or the ability to lock accounts after 3 to 5 failed password attempts exposing users to data harvesting.
• Lack of transport encryption: Despite 100 percent of the products implemented transport encryption using SSL/TLS, 40 percent of them establish insecure connections to the cloud being vulnerable to the POODLE attack.
• Insecure Software/Firmware: 70 percent of the evaluated smartwatches lack to protect firmware and validate its updates that were transmitted over unsecure connections and without encrypting the update files. Fortunately, many updates were signed to help prevent attackers sent malicious updates, for example by running MITM attacks.

• Insecure Interfaces: Three out of ten smartwatches used cloud-based web interfaces that were vulnerable to account harvesting. These interfaces don’t implement mechanisms to limit login attempts and in many cases help hackers guess passwords.
• Privacy Concerns: All smartwatches fail to protect user personal information, including name, address, date of birth, weight, gender, heart rate and other health information.

The Study highlights the need of a new approach in the design of smart devices that consider security requirements as crucial requirements to implement. Manufacturers have to pay closer attention to the customers’ security to the risks related to cyber attacks.

“Despite their current limited footprint, smartwatches will likely replace smartphones as a convenient way to control communication and manage daily tasks. As watches become a common part of our daily workflow, we will likely use them for increasingly sensitive tasks like gaining access to our front door at home, entering and turning on our cars, and paying for purchases both in person and online.” concludes the study published by HP. “Whether using a health application, financial, or even gaming application, HP was able to intercept and detect the sensitive data being routed to multiple locations on the Internet.”

HP confirmed that it would not disclose the names of smartphone manufacturers of the devices it evaluated, but they are working with vendors to “build security into their products before they put them out to market.”

Pierluigi Paganini

(Security Affairs – Wearable devices, hacking)