Menu
HP study finds smartwatches could do more to keep user data safe

HP study finds smartwatches could do more to keep user data safe

More transparency is needed around how data collected by smartwatch apps is used, said HP

Smartwatches are failing people at keeping their data safe and protecting them from hackers.

Those are the findings of a study from Hewlett-Packard, whose Fortify on Demand security division tested 10 popular smartwatches. The company is in the process of alerting vendors about the flaws and can't disclose the watches it tested, said Daniel Miessler, practice principal at HP.

HP also examined the security around the Web interfaces and mobile apps that accompany smartwatches and allow a person to access the device as well as how data gathered by watch apps is protected and used.

The study found vulnerabilities with each of the watches and raised concerns over user authentication methods, data encryption and data privacy, among other issues.

Only half of the watches HP tested let users lock the device's screen, potentially allowing a stranger to access their sensitive information if the wearable was lost or stolen. Smartwatch sensors collect health data, including heart beats, and the devices store personal details like a person's name, address and birth date. Two of the watches that lack the ability to lock a screen could be paired with a smartphone other than the owner's, giving an attacker access to the wearable's data.

The smartwatches fell short when it came to encrypting data that's sent to the cloud. While the wearables used SSL and TLS security protocols to encrypt information, some relied on SSL 2.0, an older version of the protocol that's known to have security flaws. Additionally, 40 percent of the watches were vulnerable to POODLE attacks.

In some cases, vendors prioritize getting smartwatches on the market over security so measures like data encryption are overlooked. Others don't realize the dangers of transmitting data in clear text form, Miessler said.

HP questioned if there's enough transparency around how data collected by watch apps is used, saying people and app developers may not realize that information ends up on a "substantial" number of servers. This provides attackers more access points to the data, either by intercepting it in transit or going after the servers where it's stored, Miessler said. Some of the places where smartwatch data ended up included advertising and analytics networks, he added.

HP took issue with how seven of the 10 the watches processed firmware updates. Those devices were sent unencrypted updates, and while they were signed to prevent malicious files from being uploaded, this didn't prevent them from being downloaded and viewed by others.

Consumers may not realize they need to be aware of security issues around mobile apps and Web interfaces used to access smartwatches, Miessler said.

"It's not just a smartwatch. It's the ecosystem around it," he said.

Of the devices HP tested, three had Web interfaces and mobile apps that could be used to access the smartwatch. HP said the password-creation requirements for these systems weren't complex. Additionally, the interfaces and apps didn't lock out people after they entered the wrong password multiple times and lacked two-factor authentication. When paired with accounting-harvesting tactics, which cull the Web for information on people, these weaknesses could allow an attacker to use brute force attacks to figure out a person's password, HP said.

As smartwatch adoption grows, HP predicted the devices will become appealing targets for hackers since people will store sensitive information on them such as data for making purchases or even unlocking their homes' doors.

But those security concerns, as well as how smartwatch app data is used, aren't on a person's mind when they purchase a wearable, Miessler said. Instead, they're looking at what features, like fitness and wellness monitoring, a smartwatch offers.

"They're thinking what kind of health data can you get from the wearable, not where is the health data going," he said.

Fred O'Connor writes about IT careers and health IT for The IDG News Service. Follow Fred on Twitter at @fredjoconnor. Fred's e-mail address is fred_o'connor@idg.com

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags consumer electronicssecurityHewlett-Packard

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments