Smartwatches Slammed For Poor Security

The nascent smartwatch industry has been criticised by a security firm after it discovered that the security features on some of the most popular smartwatches are not up to scratch.

The warning comes amid ongoing concerns about the security impact of wearable devices in the workplace.

Poor Protection

The study was carried out by Trend Micro in partnership with First Base Technologies, and examined Android-based devices such as the Motorola 360, LG G Watch, Sony Smartwatch, Samsung Gear Live and the Asus Zen Watch.

The study also examined the Apple Watch and Pebble wearable, but did not seem to cover Microsoft’s Band device for some reason. All devices were patched with the latest versions of their respective operating systems, and were paired to the iPhone 5, Motorola X and Nexus 5.

For the study, the devices were “stress-tested” on issues such as physical protection, data connections and information stored.

Trend said that the physical device protection across all smartwatches was poor, with no authentication via passwords or other means being enabled by default.

“This would enable free access if the wearable was stolen,” warned Trend. “All devices apart from Apple Watch, failed to contain a timeout function, meaning that passwords had to be activated by manually clicking a button.”

But the Apple Watch is not blame free, despite having better security features than its Android or Pebble rivals. The study found that the Apple Watch contained the largest volume of sensitive data, with images, contacts, calendars and passbook data all being stored on the device itself.

And Trend found that all the tested smartwatches saved local copies of data, which could be accessed through the watch interface when taken out of range of the paired smartphone. It said that this mean means anyone who compromises the wearable would have access to that data.

“Across all of the smartwatches that were tested, it is clear that manufacturers have opted for convenience at the expense of security,” said Bharat Mistry, Cyber Security Consultant at Trend Micro. “On the surface, a lack of authentication features can make devices appear easier to operate, but the risk of having personal and corporate data compromised is much too big of an issue to forget about.”

“Manufacturers must ensure that simple security features, such as limited password attempts, are enabled on devices by default,” said Mistry. “This considerably reduces the likelihood of data breaches. Smartwatch manufacturers must be cognisant of the fact they can slash data breaches by employing this best practice.”

“Although smartwatches are a relatively new technology, the same security issues that we’ve witnessed with smartphones are still present,” said Mike McLaughlin, Senior Penetration Tester & Technical Team Lead at First Base Technologies. “Google and Apple have added complex layers of encryption to their Bluetooth and Wi-Fi data connections; but if someone were to steal a watch without a password enabled, any data stored would be easily compromised. The biggest risk, as with all technology, is gaining physical access to the watch, and manufacturers should ensure simple features are in place to prevent this”.

Security Headache

The study did find that the Apple Watch was the sole wearable that allowed a wipe of the device after a set number of failed login attempts. This means the other devices are vulnerable to brute force attacks.

The advent of wearables has presented a further security headache for the IT manager. Wearables have proved useful to businesses in the past, as borne out by those early Google Glass adopters, who saw them as a highly efficient way to carry out tasks with remote assistance, or to give remote advice to personnel.

But security concerns remain about using these devices inside the corporate firewall.

Last month, a study by HP Security also found that many smartwatches carry major security flaws, thanks to their increasing connectivity.

Overall, 100 percent of the ten devices tested by Fortify (HP Security’s application provider) were found to contain “significant vulnerabilities”.

Suits you? Try our Wearable Tech quiz!