Smartwatches contain a range of security flaws, raising fresh concerns about wearable devices gathering and sharing big data and personal information across the Internet of Things (IoT), according to new research from Hewlett-Packard Co.
After testing 10 major smartwatch brands, HP Fortify determined that all of the mobile devices suffered from significant vulnerabilities -- including insufficient authentication, lack of encryption and privacy concerns.
The five most common issues, according to HP, included:
1. Insufficient User Authentication/Authorization: Three of the 10 watches were vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration, HP said.
2. Lack of transport encryption: All of the test products implemented transport encryption using SSL/TLS, but four of the 10 cloud connections are vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2, HP asserted.
3. Insecure Interfaces: Three of the 10 tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30 percent also exhibited account enumeration concerns with their mobile applications. This vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms, HP said.
4. Insecure Software/Firmware: Seven of the 10 smartwatches could suffer from firmware security issues, including transmitting firmware updates without encryption and without encrypting the update files. However, many updates were signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed, HP noted.
5. Privacy Concerns: All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern, HP said.
The report emerges as Apple Watch begins to attract a range of interest from such vertical markets as healthcare, financial services and insurance. For example, one-third of insurers have embraced wearable computing in some form, according to Accenture. And a range of Apple Watch healthcare apps are surfacing.
Without commenting directly about the HP report, Apple continues to update its Apple Watch security page each time an issue is fully investigated and a patch is released. Moreover, third-party Apple Watch authentication apps are starting to reach the market. Apple says its smartwatch sales exceeded internal expectations in the company's Q2 2015, though the company declined to discuss actual sales figures.
Meanwhile, some Android smartwatch makers are focusing heavily on security to differentiate from rivals. GoldKey, for example, offers encryption and other secure communications capabilities in its Android device.
Although the wearable market remains in its infancy, security risks could spread as smartwatches plug into the IoT (Internet of Things) ecosystem -- which features sensors, beacons and other intelligent edge machines that gather and share data with big data clouds. Already, IoT itself has faced a round of security and privacy concerns -- especially as companies try to determine just how much sensor data to gather, manage and store.