Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/24/2015
09:20 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Smartwatches Could Become New Frontier for Cyber Attackers

Every single smartwatch tested in a recent study by HP had serious security weaknesses.

Watches with network and communication functionality are opening up a new frontier for cyber attackers thanks to a largely cavalier attitude towards security by manufacturers, a new study by HP warns.

HP assessed the available security features on 10 smartwatches along with their Android and iOS cloud and mobile application components and found every single device to have significant vulnerabilities such as insufficient authentication and lack of data encryption.

As part of the study, HP looked at smartwatch management capabilities, network communications, their mobile and cloud interfaces and other potentially vulnerable components.

All of the watches that HP evaluated collected personal data in the form of names, addresses, birth dates, weight, gender and heart rate. Yet not one of them had adequate controls in place for ensuring the privacy and security of the collected data either while on the device or in transit.

For instance, every smartwatch that HP tested was paired with a mobile interface that lacked two-factor authentication. None of the interfaces had the ability to lock out accounts after multiple failed login attempts. A significant 40 percent of the tested products used weak cyphers at the transport layer while a full 70 percent had firmware related insecurities.

 “We found that smartwatch communications are easily intercepted in 90 percent of cases, and 70 percent of watch firmware is transmitted without encryption,” says Daniel Miessler, lead researcher for the study at HP. “These statistics reveal areas of security risk and are extremely worrisome, as smartwatches are likely to become a key access control point as adoption expands,” Miessler said in emailed comments to Dark Reading.

Current use cases for smartwatches extend beyond the usual activity and health monitoring applications to areas like messaging, monitoring and schedule checking. Because the smartwatch depends on an intermediary mobile device to pass information from and to the watch, the security of the gateway device becomes an important factor was well, HP noted in its report.

“The combination of account enumeration, weak passwords, and lack of account lockout means 30 percent of watches and their applications were vulnerable to account harvesting, allowing attackers to guess login credentials and gain access to user accounts,” HP said.

Though smartwatch adoption is largely consumer driven, the security concerns associated with their use extend to enterprises as well. Given the amount of network connectivity, the attack surface areas present, and the highly adaptive nature of the Internet of Things in general, it’s important for enterprises to consider IoT and wearables to be untrusted, unless fully tested, analyzed, and secured, Miessler said.

“Wearables and other IoT related devices should always be segmented from the internal network,” he said.

The increasingly sophisticated recording capabilities of smartwatches and other wearables pose another near-term problem for enterprises, Miessler said. Wearbles, for instance, make it easier for users to surreptitiously record documents and events without being noticed.” For enterprises that may be discussing very sensitive information, or presenting that information in cubes or meeting rooms, the potential for data loss via this method increases significantly,” Miessler said.

Mitigating the threat posed by smartwatches and other IoT devices starts with an awareness of the risks they pose, he said.  It starts with knowing what type of sensors the watches have, and whether the devices can capture audio, video and data, he noted. Administrators also need to be aware of data are entered into these ecosystems, and where that data is sent, Miessler added.

“From there, it will be a matter of creating policies for managing IoT and wearables within the enterprise, whether that’s creating isolated segments on the LAN, determining what types of devices and capabilities are allowed in sensitive corporate areas,” and similar measures, he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
alinafoster
50%
50%
alinafoster,
User Rank: Apprentice
7/27/2015 | 1:38:26 AM
http://www.darkreading.com/endpoint/smartwatches-could-become-new-frontier-for-cyber-attackers/d/d-id/1321452
Its dangerous for us..
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11484
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure.
CVE-2020-11485
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a Cross-Site Request Forgery (CSRF) vulnerability in the AMI BMC firmware in which the web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the u...
CVE-2020-11486
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution.
CVE-2020-11487
PUBLISHED: 2020-10-29
NVIDIA DGX servers, DGX-1 with BMC firmware versions prior to 3.38.30. DGX-2 with BMC firmware versions prior to 1.06.06 and all DGX A100 Servers with all BMC firmware versions, contains a vulnerability in the AMI BMC firmware in which the use of a hard-coded RSA 1024 key with weak ciphers may lead ...
CVE-2020-11488
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which software does not validate the RSA 1024 public key used to verify the firmware signature, which may lead to i...