Proving the Business Case for the Internet of Things

Hewlett-Packard finds ten out of ten smart watches have security flaws

Steve Rogerson
July 29, 2015
 
Every smart watch tested by Hewlett-Packard had security flaws, the California-based company announced this month.
 
As part of an ongoing series looking at IoT security, HP unveiled results of an assessment confirming that smart watches with network and communications functionality represent a new and open frontier for cyberattack. The study conducted by HP Fortify found that 100 per cent of the tested smart watches contain significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.
 
In the report HP provides actionable recommendations for secure smart watch development and use, both at home and in the workplace.
 
As the IoT market advances, smart watches are growing in popularity for their convenience and capabilities. As they become more mainstream, smart watches will increasingly store more sensitive information such as health data, and through connectivity with mobile apps may soon enable physical access functions including unlocking cars and homes.
 
“Smart watches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” said Jason Schmitt, general manager for security at HP Fortify. “As the adoption of smart watches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smart watches into corporate networks.”
 
The study questions whether smart watches are designed to store and protect the sensitive data and tasks for which they are built. The company assessed ten smart watches, along with their Android and iOS cloud and mobile application components, uncovering numerous security concerns.
 
The most common and easily addressable security issues reported include insufficient user authentication and authorisation. Every smart watch tested was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after three to five failed password attempts. Three in ten were vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout and user enumeration.
 
Transport encryption is critical given that personal information is being moved to multiple locations in the cloud. While 100 per cent of the test products implemented transport encryption using SSL/TLS, 40 per cent of the cloud connections continues to be vulnerable to the Poodle attack, allowed the use of weak cyphers or still used SSL v2.
 
A third of the tested smart watches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, 30 per cent also exhibited account enumeration concerns with their mobile applications. This vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
 
Seven out of ten of the smart watches were found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files. However, many updates were signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analysed.
 
All the smart watches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern.
 
As manufacturers work to incorporate necessary security measures into smart watches, consumers are urged to consider security when choosing to use a smart watch. HP recommends that users do not enable sensitive access control functions such as car or home access unless strong authorisation is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorised access to data. These security measures are not only important to protecting personal data, but are critical as smart watches are introduced to the workplace and connected to corporate networks.  
 
Matt White, senior manager in KPMG's cyber security practice, said about the tests: “With the high profile release of smart watches in recent months, it was inevitable that security flaws were identified. As is often the case, consumer demand for new and exciting technologies have far surpassed the implementation of security measures.”
 
Many of the watches and other wearable technologies use device pairing along with pin and password to provide authentication, but he said this alone provided limited protection from a serious assailant. 
 
“As with many security conversations, the level of security is a recipe of convenience, user experience and security,” he said. “The final ingredient is the level of awareness of the end user. It would be a fair assumption that for the average consumer the general level of awareness is low, but this begs the question of who should be responsible for the protection of them? Should it be the manufacturer or the user themselves? The answer isn’t clear, but it’s likely that the bad guys won’t be waiting for security to catch up with the current advancements.”