Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/24/2015
09:20 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Smartwatches Could Become New Frontier for Cyber Attackers

Every single smartwatch tested in a recent study by HP had serious security weaknesses.

Watches with network and communication functionality are opening up a new frontier for cyber attackers thanks to a largely cavalier attitude towards security by manufacturers, a new study by HP warns.

HP assessed the available security features on 10 smartwatches along with their Android and iOS cloud and mobile application components and found every single device to have significant vulnerabilities such as insufficient authentication and lack of data encryption.

As part of the study, HP looked at smartwatch management capabilities, network communications, their mobile and cloud interfaces and other potentially vulnerable components.

All of the watches that HP evaluated collected personal data in the form of names, addresses, birth dates, weight, gender and heart rate. Yet not one of them had adequate controls in place for ensuring the privacy and security of the collected data either while on the device or in transit.

For instance, every smartwatch that HP tested was paired with a mobile interface that lacked two-factor authentication. None of the interfaces had the ability to lock out accounts after multiple failed login attempts. A significant 40 percent of the tested products used weak cyphers at the transport layer while a full 70 percent had firmware related insecurities.

 “We found that smartwatch communications are easily intercepted in 90 percent of cases, and 70 percent of watch firmware is transmitted without encryption,” says Daniel Miessler, lead researcher for the study at HP. “These statistics reveal areas of security risk and are extremely worrisome, as smartwatches are likely to become a key access control point as adoption expands,” Miessler said in emailed comments to Dark Reading.

Current use cases for smartwatches extend beyond the usual activity and health monitoring applications to areas like messaging, monitoring and schedule checking. Because the smartwatch depends on an intermediary mobile device to pass information from and to the watch, the security of the gateway device becomes an important factor was well, HP noted in its report.

“The combination of account enumeration, weak passwords, and lack of account lockout means 30 percent of watches and their applications were vulnerable to account harvesting, allowing attackers to guess login credentials and gain access to user accounts,” HP said.

Though smartwatch adoption is largely consumer driven, the security concerns associated with their use extend to enterprises as well. Given the amount of network connectivity, the attack surface areas present, and the highly adaptive nature of the Internet of Things in general, it’s important for enterprises to consider IoT and wearables to be untrusted, unless fully tested, analyzed, and secured, Miessler said.

“Wearables and other IoT related devices should always be segmented from the internal network,” he said.

The increasingly sophisticated recording capabilities of smartwatches and other wearables pose another near-term problem for enterprises, Miessler said. Wearbles, for instance, make it easier for users to surreptitiously record documents and events without being noticed.” For enterprises that may be discussing very sensitive information, or presenting that information in cubes or meeting rooms, the potential for data loss via this method increases significantly,” Miessler said.

Mitigating the threat posed by smartwatches and other IoT devices starts with an awareness of the risks they pose, he said.  It starts with knowing what type of sensors the watches have, and whether the devices can capture audio, video and data, he noted. Administrators also need to be aware of data are entered into these ecosystems, and where that data is sent, Miessler added.

“From there, it will be a matter of creating policies for managing IoT and wearables within the enterprise, whether that’s creating isolated segments on the LAN, determining what types of devices and capabilities are allowed in sensitive corporate areas,” and similar measures, he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
alinafoster
50%
50%
alinafoster,
User Rank: Apprentice
7/27/2015 | 1:38:26 AM
http://www.darkreading.com/endpoint/smartwatches-could-become-new-frontier-for-cyber-attackers/d/d-id/1321452
Its dangerous for us..
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...