HP study finds smartwatches could do more to keep user data safe

More transparency is needed around how data collected by smartwatch apps is used, said HP

Smartwatches are failing people at keeping their data safe and protecting them from hackers.

Those are the findings of a study from Hewlett-Packard, whose Fortify on Demand security division tested 10 popular smartwatches. The company is in the process of alerting vendors about the flaws and can't disclose the watches it tested, said Daniel Miessler, practice principal at HP.

HP also examined the security around the Web interfaces and mobile apps that accompany smartwatches and allow a person to access the device as well as how data gathered by watch apps is protected and used.

The study found vulnerabilities with each of the watches and raised concerns over user authentication methods, data encryption and data privacy, among other issues.

Only half of the watches HP tested let users lock the device's screen, potentially allowing a stranger to access their sensitive information if the wearable was lost or stolen. Smartwatch sensors collect health data, including heart beats, and the devices store personal details like a person's name, address and birth date. Two of the watches that lack the ability to lock a screen could be paired with a smartphone other than the owner's, giving an attacker access to the wearable's data.

The smartwatches fell short when it came to encrypting data that's sent to the cloud. While the wearables used SSL and TLS security protocols to encrypt information, some relied on SSL 2.0, an older version of the protocol that's known to have security flaws. Additionally, 40 percent of the watches were vulnerable to POODLE attacks.

In some cases, vendors prioritize getting smartwatches on the market over security so measures like data encryption are overlooked. Others don't realize the dangers of transmitting data in clear text form, Miessler said.

HP questioned if there's enough transparency around how data collected by watch apps is used, saying people and app developers may not realize that information ends up on a "substantial" number of servers. This provides attackers more access points to the data, either by intercepting it in transit or going after the servers where it's stored, Miessler said. Some of the places where smartwatch data ended up included advertising and analytics networks, he added.

HP took issue with how seven of the 10 the watches processed firmware updates. Those devices were sent unencrypted updates, and while they were signed to prevent malicious files from being uploaded, this didn't prevent them from being downloaded and viewed by others.

Consumers may not realize they need to be aware of security issues around mobile apps and Web interfaces used to access smartwatches, Miessler said.

"It's not just a smartwatch. It's the ecosystem around it," he said.

Of the devices HP tested, three had Web interfaces and mobile apps that could be used to access the smartwatch. HP said the password-creation requirements for these systems weren't complex. Additionally, the interfaces and apps didn't lock out people after they entered the wrong password multiple times and lacked two-factor authentication. When paired with accounting-harvesting tactics, which cull the Web for information on people, these weaknesses could allow an attacker to use brute force attacks to figure out a person's password, HP said.

As smartwatch adoption grows, HP predicted the devices will become appealing targets for hackers since people will store sensitive information on them such as data for making purchases or even unlocking their homes' doors.

But those security concerns, as well as how smartwatch app data is used, aren't on a person's mind when they purchase a wearable, Miessler said. Instead, they're looking at what features, like fitness and wellness monitoring, a smartwatch offers.

"They're thinking what kind of health data can you get from the wearable, not where is the health data going," he said.

Fred O'Connor writes about IT careers and health IT for The IDG News Service. Follow Fred on Twitter at @fredjoconnor. Fred's e-mail address is fred_o'connor@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicssecurityHewlett-Packard

More about FortifyFredFred'sHPIDGNewsTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fred O'Connor

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place