Ever fancied owning a smart-watch? Or do you own one? Well, you might get stunned after knowing that these wearable devices pose a lot of security risks. Smart watches, smart bands, and even wireless panels can set a threat to your online identity. These are the devices that gain remote access to stuff on your smartphones or computers, referred to as IoT (Internet of Things) devices but according to HP, they don’t provide the same level of security.
HP did an assessment of 10 different smartwatches and smart-bands having different specifications, along with their respective mobile and computer applications. They found out that each one of them had some issues that could help make it vulnerable. Every smartwatch collects personal data including name, date of birth, location etc, but none of them has an effective way to keep this information secure. In 90% of the cases where the information has to be retrieved from a smartwatch, it can get intercepted and more than 40% of these smartwatches have a firmware that can easily leak away the information, the study suggested.
Smartwatches and other wearables’ primarily pose the risk at two levels, which are as follows:
- Device level: Most of the smartwatches tested by HP had various insecurities related to the device’s firmware, like none of the devices had a two-factor authentication, or the ability to lock down the device after a number of failed attempts.
- Transit level: At the transport layer, while transmitting the data between the host device and the smartwatch, the assessed smartwatches lacked a strong cypher. In four out of ten cases, it was found that the encryption of the transmitted data could easily be deciphered.
“The combination of account enumeration, weak passwords, & lack of account lockout means 30 percent of watches and their applications were vulnerable to account harvesting, allowing attackers to guess login credentials and gain access to user accounts,” Daniel Miessler, the lead researcher of this study said. He also suggested, “it will be a matter of creating policies for managing IoT and wearables within the enterprise, whether that’s creating isolated segments on the LAN, determining what types of devices and capabilities are allowed in sensitive corporate areas.”