You are here

Watch out: 5 reasons smartwatches need smarter security

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Freelance writer

Driven by Apple's entry into the market, interest in smartwatches has taken off, with millions due to be sold this year. Yet, while developers are coming up with more interesting and useful ways of connecting people and their devices, security researchers continue to find vulnerabilities in the devices.

In a report released last week, security firm HP Fortify tested 10 brands of smartwatches and found that all had some vulnerabilities that impacted the security of the device and the privacy of they user. Seven of the 10 watches transmitted firmware without encryption, four had vulnerabilities in their encrypted communications, and three had a combination of flaws that could allow account harvesting.

While the vulnerabilities may not add up to any significant privacy breach today, the personalized nature of smartwatches will mean that people will rely on them more frequently in the future for critical tasks, such as opening a car door or gaining access to their computer, said Daniel Miessler, lead research on the study and head of security research for HP Fortify on Demand.

"We think it is very important to look at the vulnerabilities in smartwatches, because people are stacking access control on top of them," Miessler said. "And as it grants you more access, it will become a more attractive target for attackers."

Driven by the release of the Apple Watch on April 24, smartwatches have quickly taken off, with expected unit sales of between 15 million and 20 million this year and more than 100 million by 2020, according to technology intelligence firm IHS.

Yet, the popularity comes with a price. While smartwatches add a lot of intelligence and personalization to connected devices, their manufacturers still make many of the same mistakes in terms of security. Diane Stapley, who manages security efforts and other alliances with hardware vendors at AMD, shudders at the prospect of pervasive networked devices with no security.

"As a technologist, I actually find it very, very scary," she said.

Yet, consumers, manufacturers, and developers can make a difference. Here are some of the major issues and possible solutions.

1. So much data, so little security

The amount of information collected by smartwatches has the potential to make the devices a ubiquitous monitoring system. Users will have to pay attention to ensure that only they have access to the their data. In a 2014 survey of the risks associated with the "quantified self" movement, which includes fitness bands and smartwatches, security firm Symantec highlighted the privacy issues of collecting vast amounts of personal data and storing it online.

From pulse measurements to steps, from calendar information to credit card transactions, the smartwatch will act as a conduit for transmitting vast quantities of personal information to the Internet, said Candid Wüest, principal threat researcher for Symantec Security Response.

"There is a lot of information being passed through there, and that may not be a situation that users are comfortable with," he said.

2. It's 4 a.m., do you know where your data is?

While hacking a single watch could gain an attacker detailed information on a single user, compromising the online service storing data from smartwatches could result in a breach of millions of users' personal information. Unfortunately, service providers aren't too careful about where they're sending the data, according to HP Fortify. In its study, the company sent data to multiple — up to 10 — locations on the Internet, according to Miessler.

"It raises the question of—when a person is entering data into these systems—do they really know where it is going?" he said.

Miessler cautioned users to make sure they know all the companies who may have access to the data they're entering.

3. For businesses, put smart devices on guest wireless

At one time, companies had to fight back against the consumerization of information technology. That battle, however, is lost.

Now companies need to make sure that the massive influx of devices being brought into the workplace doesn't impact the security of their business, said Miessler.

"This is an overall theme for IoT, but applies to these smartwatches as well," he said. "Keep your business systems isolated from the consumer devices employees are bringing into the workplace."

4. Take care in using a smartwatch to control access

Because smartwatches are the device that users will always have with them, technologists predict that they'll become a digital keychain for consumers. Already, many smartwatches can be used to open up door locks and to enable access to a computer.

Yet, because the devices are so new, there continue to be many vulnerabilities, and that makes relying on them as a second factor of authentication a risky proposition. Until vendors can make sure that such functionality cannot be stolen or blocked, consumers should be wary, said AMD's Stapley.

"On the consumer side, everyone has a sense that they want or need security," she said. "No one wants their identity stolen, and no one wants their smart locks opened up — or house controlled — from the Internet. But they are also counting on their vendors to take care of that for them."

5. Let the vendors know

Developers and vendors are the key to improving device security, but until consumers start concerning themselves with the security of the devices and their data, securing smartwatches will take a back seat.

So consumers should make their concerns known to vendors, said Symantec's Wüest.

"The vendors are now aware that security should be added," he said. "But if consumers are not asking for it, then it is a tough call for them to add it."