Through a series of studies into IoT security, HP has found that smartwatches with network and communication functionality are an open frontier for cyber attacks.
The study conducted by HP Fortify, evaluated ten of the top smartwatches on today’s market from an attacker’s perspective along with their paired Android or iOS mobile device and application.
The most common and easily addressable security issues reported include insufficient user authentication and authorisation, insecure interfaces, software and firmware, and privacy concerns.
The "Internet of Things Security Study: Smartwatches" found that 70% of watch firmware was transmitted without encryption and that data collected initially on the wearable and passed through to an application is often sent to multiple backend destinations, often including third parties.
The company was able to intercept and detect the sensitive data being routed to multiple locations on the internet whether using a health, financial, or gaming app.
The HP Fortify’s study revealed that two in ten stolen devices could be paired with an attacker’s smartphone, that three in ten watches ant their apps were vulnerable to account harvesting, and that half of the tested devices offered the ability to implement a PIN or pattern to lock the screen.
HP said in the report: "Our research shows that these wearables present a risk that goes beyond the device. The number of places that data are being sent during the standard use of a given application increases the number of access points."
The company urged consumers to consider security when choosing to use a smartwatch, recommending buyers to not enable sensitive access control functions such as car or home access unless strong authorisation is offered.
Sian John, CSS EMEA at Symantec, said: "We also found vulnerabilities in how personal data is stored and managed, including passwords being transmitted in clear text. With more and more consumers adopting wearable tech devices, they need to be aware of the potential risks to security and privacy.
"There are a few basic security precautions to help guard against the risk of exposing personal and self-tracking information when using these devices."
Alexandru Catalin Cosoi, CSS at Bitdefender, said: "Since these devices upload and display data using a smartphone, they inherit the security risks associated with mobile devices, plus the transmission flaws that may be exploited for traffic sniffing, while data is travelling from one device to the other.
To enhance security, manufacturers need to consider encrypting communications in transit, securing mobile interfaces from account enumeration and providing regular firmware updates. Users should do their part by enabling two-factor authentication and locking their smart devices with complex passcodes to prevent unauthorised access."
Phil Barnett, GM of EMEA at Good Technology, added: "Industries, particularly those that are highly regulated, need to establish a policy that outlines which users are eligible, which devices can be supported and which mobile applications are acceptable.
One way to ensure enterprise data is secure on smartphones, tables and wearable devices is keeping it in separate, encrypted containers. Clear policy controls will mitigate the security risks that come with these new devices."
