Could smart watch security issues be a Christmas buzzkill?

01-12-2015 | By Paul Whytock

The simple answer to that is no, providing users are careful. But will they be? Smart watches are predicted to be this Christmas' must have gift and Yuletide will be the closing stages of a year when nearly €10 billion worth of these clever timepieces found wrists to sit on.

But will it be a happy New Year for some wearers? Maybe not given the concerns regarding smart watch security and how easily most of them can be hacked.

Firstly lets take a look at the problems and then finish by giving some recommendations on how to beef-up your smart watch security.

There has been plenty of publicity about security issues in recent weeks with one study from Trend Micro saying that all six big brand smart watches had poor security features. And this is worrying when the capability of these devices starts to include banking and payment facilities.

So what are the difficulties with smart watch security? Firstly they are a fairly new idea and companies are all trying to beat each other in the race to gain sales. This means security doesn't always come first when it comes to attracting buyers. It's all about the snazzy functions and in this regard the use by manufacturers of third-party developed applications can sometimes jeopardise security. But there are more problems than just that. Inadequate authentication procedures and lack of robust encryption safeguards are all potential weaknesses that pernicious hackers might exploit.

It also doesn't help that most smart watches uses Bluetooth to pair with smart phones and laptops, and let's face it Bluetooth is not the most secure communication protocol. Some industry observers have tried to defend smart watches and the use of this protocol by saying that the information carried is not of great interest to hackers. This in my view is absolute nonsense now we have watches capable of paying for things. The only thing I will say for smart watches that makes them more secure than phones, tablets or laptops is they are inevitably strapped to your wrist which means they are less likely to be left somewhere and are much harder to steal. But just as iPhones are the most stolen smart phones I wouldn’t be surprised if Apple smart watches don't become the most must-steal watch.

So lets cut through all the advertising and marketing hyperbole when it comes to smart watches and accept the fact that they need better security solutions.

In an in-depth report into smart watch security Hewlett Packard came up with these key issues:

  • Data collected initially on the watch and passed through to an application is often sent to multiple backend destinations (often including third parties)
  • Watches that include cloud interfaces often employed weak password schemes making them more susceptible to attack
  • Watch communications are trivially intercepted in 90% of cases
  • Seventy percent of watch firmware was transmitted without encryption
  • Fifty percent of tested devices offered the ability to implement a screen lock (PIN or Pattern), which could hinder access if lost or stolen
  • Smart watches that included a mobile application with authentication allowed unrestricted account enumeration
  • The combination of account enumeration, weak passwords, and lack of account lockout means 30% of watches and their applications were vulnerable to Account Harvesting, allowing attackers to guess login credentials and gain access to user account. 

But in fairness to the watchmakers, security improvements are happening. The Apple Watch for example has an opt-in password which users have to enter each time they put the watch back on their wrist. And very importantly, the password becomes mandatory if Apple Pay is set-up on the Apple Watch. Pay accounts can also be deactivated remotely via iCloud.

So will I be expecting to find a smart watch in my Xmas stocking? Probably not. But if I did I would certainly pay attention to Hewlett Packard's advice to consumers when it comes to maximising smart watch security. These are the recommendations:

  • Do not enable sensitive access control functions (e.g., car or home access) unless strong authentication is offered (two-factor etc).
  • Enable passcode functionality to prevent unauthorised access to your data, opening of doors, or payments on your behalf.
  • Enable security functionality (e.g., passcodes, screen locks, two-factor and encryption).
  • For any interface such as mobile or cloud applications associated with your watch, ensure that strong passwords are used.
  • Do not approve any unknown pairing requests (to the watch itself).
paul-whytock.jpg

By Paul Whytock

Paul Whytock is Technology Correspondent for Electropages. He has reported extensively on the electronics industry in Europe, the United States and the Far East for over thirty years. Prior to entering journalism, he worked as a design engineer with Ford Motor Company at locations in England, Germany, Holland and Belgium.