Endpoint

7/24/2015
09:20 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Smartwatches Could Become New Frontier for Cyber Attackers

Every single smartwatch tested in a recent study by HP had serious security weaknesses.

Watches with network and communication functionality are opening up a new frontier for cyber attackers thanks to a largely cavalier attitude towards security by manufacturers, a new study by HP warns.

HP assessed the available security features on 10 smartwatches along with their Android and iOS cloud and mobile application components and found every single device to have significant vulnerabilities such as insufficient authentication and lack of data encryption.

As part of the study, HP looked at smartwatch management capabilities, network communications, their mobile and cloud interfaces and other potentially vulnerable components.

All of the watches that HP evaluated collected personal data in the form of names, addresses, birth dates, weight, gender and heart rate. Yet not one of them had adequate controls in place for ensuring the privacy and security of the collected data either while on the device or in transit.

For instance, every smartwatch that HP tested was paired with a mobile interface that lacked two-factor authentication. None of the interfaces had the ability to lock out accounts after multiple failed login attempts. A significant 40 percent of the tested products used weak cyphers at the transport layer while a full 70 percent had firmware related insecurities.

 “We found that smartwatch communications are easily intercepted in 90 percent of cases, and 70 percent of watch firmware is transmitted without encryption,” says Daniel Miessler, lead researcher for the study at HP. “These statistics reveal areas of security risk and are extremely worrisome, as smartwatches are likely to become a key access control point as adoption expands,” Miessler said in emailed comments to Dark Reading.

Current use cases for smartwatches extend beyond the usual activity and health monitoring applications to areas like messaging, monitoring and schedule checking. Because the smartwatch depends on an intermediary mobile device to pass information from and to the watch, the security of the gateway device becomes an important factor was well, HP noted in its report.

“The combination of account enumeration, weak passwords, and lack of account lockout means 30 percent of watches and their applications were vulnerable to account harvesting, allowing attackers to guess login credentials and gain access to user accounts,” HP said.

Though smartwatch adoption is largely consumer driven, the security concerns associated with their use extend to enterprises as well. Given the amount of network connectivity, the attack surface areas present, and the highly adaptive nature of the Internet of Things in general, it’s important for enterprises to consider IoT and wearables to be untrusted, unless fully tested, analyzed, and secured, Miessler said.

“Wearables and other IoT related devices should always be segmented from the internal network,” he said.

The increasingly sophisticated recording capabilities of smartwatches and other wearables pose another near-term problem for enterprises, Miessler said. Wearbles, for instance, make it easier for users to surreptitiously record documents and events without being noticed.” For enterprises that may be discussing very sensitive information, or presenting that information in cubes or meeting rooms, the potential for data loss via this method increases significantly,” Miessler said.

Mitigating the threat posed by smartwatches and other IoT devices starts with an awareness of the risks they pose, he said.  It starts with knowing what type of sensors the watches have, and whether the devices can capture audio, video and data, he noted. Administrators also need to be aware of data are entered into these ecosystems, and where that data is sent, Miessler added.

“From there, it will be a matter of creating policies for managing IoT and wearables within the enterprise, whether that’s creating isolated segments on the LAN, determining what types of devices and capabilities are allowed in sensitive corporate areas,” and similar measures, he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
alinafoster
50%
50%
alinafoster,
User Rank: Apprentice
7/27/2015 | 1:38:26 AM
http://www.darkreading.com/endpoint/smartwatches-could-become-new-frontier-for-cyber-attackers/d/d-id/1321452
Its dangerous for us..
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-13435
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest w...
CVE-2018-13446
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. ...
CVE-2018-14567
PUBLISHED: 2018-08-16
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
CVE-2018-15122
PUBLISHED: 2018-08-16
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
CVE-2018-11509
PUBLISHED: 2018-08-16
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.