Smartwatches open to cyberattack says HP

24 Jul 2015 | Author: | No comments yet »

HP study finds smartwatches could do more to keep user data safe.

Those are the findings of a study from Hewlett-Packard, whose Fortify on Demand security division tested 10 popular smartwatches. WASHINGTON: The surging market for smartwatches opens up new ground for hackers, according to researchers who found vulnerabilities in all the devices they tested.

HP’s Fortify software assessment unit has taken a closer look at smartwatch security including that implemented by the market-defining Apple Watch, and uncovered a shocking mess of poor security, lazy programming, and complacent design.Smartwatch owners have been warned to be on their guard after a new survey found that many of the most popular wearable devices carry major security flaws. The company is in the process of alerting vendors about the flaws and can’t disclose the watches it tested, said Daniel Miessler, practice principal at HP. A study by Hewlett-Packard’s HP Fortify found “that 100% of the tested smartwatches contain significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns,” the company said in releasing the findings Wednesday.

HP’s researchers spare the blushes of the brands tested stating only that the firm chose “10 of the top smartwatches on today’s market,” which in a small sector must inevitably include just about every product with any profile. HP also examined the security around the Web interfaces and mobile apps that accompany smartwatches and allow a person to access the device as well as how data gathered by watch apps is protected and used. The researchers found “that smartwatches with network and communication functionality represent a new and open frontier for cyberattack,” the report said. The problem with smartwatches is that unlike old-world timepieces they were designed to be paired and communicate with mobile devices such as smartphones, which is where most of the security problems start.

The potential lack of security of a smartwatch versus a smartphone or computer has already been mentioned, but new data from HP Fortify reinforces this worry. Overall, 100 percent of the ten devices tested by Fortify, HP Security’s application provider, were found to contain “significant vulnerabilities”. The study found vulnerabilities with each of the watches and raised concerns over user authentication methods, data encryption and data privacy, among other issues. The research highlights the cyber risks from the growing number of connected devices — such as refrigerators, cars, coffee makers and lightbulbs — sometimes referred to as the “Internet of Things.” Smartwatches could pose special risks because they may store sensitive information such as health data, and could connect to cars and homes to unlock them, HP said. “Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” said Jason Schmitt, general manager at HP Security. “As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.” All the smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information.

Among the vulnerabilities uncovered were a lack of proper authorisation and authentication provisions, as when connected to a test mobile device that was deliberately made insecure three in ten of the devices proved vulnerable to ‘account harvesting’ thanks to a combination of weak password policy, lack of account lockout, and user enumeration. Data communication for nine out of ten watches could be intercepted using trivial techniques, while seven out of ten products lacked any encryption when transmitting firmware updates. HP’s study cites critical weaknesses, like insecure interfaces and insufficient authentication, as areas of concern for smartwatch owners and other participants of IoT—which, at this point, is almost anyone with a connected device. Meanwhile, the cloud connections and accounts used by products displayed a mish-mash of problems, including providers running SSL/TLS servers that had not been patched for the Poodle flaw from earlier this year (four products), and logins to cloud services that allowed weak password security (three products).

While the wearables used SSL and TLS security protocols to encrypt information, some relied on SSL 2.0, an older version of the protocol that’s known to have security flaws. The list goes on, including the extraordinary revelation that one of the products tested included a “functioning DNS server” that in theory allow could the device to be corralled as part of a DNS amplification attack. This provides attackers more access points to the data, either by intercepting it in transit or going after the servers where it’s stored, Miessler said.

There may have been good reasons for not revealing too much but without more data on specific products it is not likely that problems will be fixed in a hurry. Those devices were sent unencrypted updates, and while they were signed to prevent malicious files from being uploaded, this didn’t prevent them from being downloaded and viewed by others. It’s probably too early to start panicking over the implications for organisational security but the warning is clear: smartwatches have a way to go before they meet business security standards. Additionally, the interfaces and apps didn’t lock out people after they entered the wrong password multiple times and lacked two-factor authentication. Users should not agree to pair with unrecognised devices, should set secure passwords, and disable certain kinds of network access unless the authentication on offer is of a high standard.

When paired with accounting-harvesting tactics, which cull the Web for information on people, these weaknesses could allow an attacker to use brute force attacks to figure out a person’s password, HP said.

Here you can write a commentary on the recording "Smartwatches open to cyberattack says HP".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site