Smartwatch security stinks, HP study claims

Vulnerabilities all over the shop

That smartwatch on your wrist might not be as safe as you once thought. A study conducted by HP has uncovered a worryingly high level of security vulnerabilities on 10 different wearables.

HP's Fortify division – which offers security services and products to HP customers – ran its "Internet of Things security study: Smartwatches" with a 100% success rate in finding vulnerabilities in the 10 smartwatches that it tested. While HP opted not to name the specific devices tested, the study cites security holes ranging from insufficient authentication to lack of encryption and general privacy concerns.

"As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks," said Jason Schmitt, general manager, HP Security, Fortify, according to Computer Weekly.

The study used HP's Fortify on Demand IoT testing methodology that combines manual testing with automated tools. Smartwatches and the attached components were tested based on the OWASP (Open Web Application Security Project) IoT Top 10 and specific vulnerabilities associated with categories in that top 10.

The worst issue has to do with insufficient user authentication and the mechanisms that come with them. Just shy of a third of the models tested had issues with this due to a lack of password protection on the device itself and lack of account lock-out options.

Encryption is another highlighted issue. Regardless of whether SSL or TLS had been implemented, HP's study reports that 40% of smartwatch connections to the cloud were vulnerable to the Poodle vulnerability in SSL 3.0. Poodle, or Padding Oracle On Downgraded Legacy Encryption to call it by its full name, is a man-in-the-middle exploit that can be used to attack browser based communication that relies on SSL 3.0 for encryption and authentication.

Insecure interfaces, software and firmware are also a big problem, with HP claiming to have found that 70% of smartwatches exhibit problems in this area.

Protect yourself

HP recommends that, while manufacturers are making improvements to the devices, you should consider security when buying a smartwatch and limit the amount of personal information put onto the device. Owners or would-be owners should also be sure to set up strong passwords or use two-factor authentication.

The study concludes with predicting that smartwatches could eventually replace smartphones as a way to control communication and manage daily tasks. According to HP, this rapid growth will only hasten the level of abuse brought on by malicious hackers and other cyber criminals.

In short, expect (or hope) to see plenty of security patches and feature updates from smartwatch makers in the coming weeks and months. Until then, mind your watch's business.