Smartwatches like the new Apple Watch are still finding their places on users' wrists, but that doesn't mean it's too soon for IT security professionals to start worrying about whether these new devices pose additional risks. Or, at least, it's not too early for the IT security industry to start trying to scare us into worrying about these new devices. Despite a new HP report on the topic, though, I'm still not entirely sure about the magnitude of the danger.
IT security professionals are still dealing with the fallout from the rise of the smartphone, which drastically increased the vectors of vulnerability for many corporate networks. And now, with the rise of smartwatches, and particularly the Apple Watch's comparatively robust sales, there's legitimate concern that we're opening up another less-than-fully secured window into corporate networks (not to mention the security risks for consumers).
To see if that concern is justified, HP Fortify tested 10 popular smartwatches for potential security vulnerabilities—and found security flaws in every single one. Calling the results "disappointing, but not surprising," the report (PDF) cited a number of vulnerabilities, including
- Insufficient user authentication/authorization: The mobile interfaces did not support two-factor authentication or the ability to lock out accounts after failed password attempts. Half of them did not support screen locks.
- Lack of transport encryption: All 10 smartwatches tested implemented transport encryption using SSL/TLS, but 4 were vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
- Insecure interfaces: Three of the tested smartwatches used cloud-based web interfaces that could enable hackers to identify valid user accounts through feedback from password-reset mechanisms.
- Insecure software/firmware: Seven smartwatches did not properly protect firmware updates.
- Privacy concerns: All 10 smartwatches collected personal information that could be accessed via other vulnerabilities.
That sounds pretty bad, and I don't doubt that smartwatch security is no closer to fully baked than the other features of smartwatches. But I'm not panicking yet, partly because the report is far from definitive, and partly because it's still super early days for smartwatches.
First off, due to the company's "responsible disclosure policies," HP's report doesn't identify the companies, products, or models tested, beyond saying "we evaluated 10 of the top smartwatches on today's market from an attacker's perspective." (An HP spokesperson explained that "HP's practice is to notify the affected companies and provide them with an opportunity to address the security issues uncovered by our testing.")
Even if we knew which devices were tested, it's not clear that the most advanced and popular ones—the Apple Watch—are the ones with the biggest security problems. Frankly, only the Apple Watch has enough market penetration to worry about right now.
More importantly, it's pretty obvious that everyone—including Apple—is still figuring out just about everything about smartwatches. Security matters, but no one is really sure what these devices will be used for yet. As these devices become more popular and things get clearer over time, security is likely to improve as well.
So while this may be a problem now as early adopters wear their shiny new smartwatches to work and connect to their office networks, the actually numbers are still small and the vulnerabilities are likely to shrink as the number of users grows.
HP offered four suggestions to mitigate smartwatch vulnerabilities in the enterprise:
- Ensure TLS implementations are configured and implemented properly.
- Protect user accounts and sensitive data by requiring strong passwords.
- Implement controls to prevent man-in-the-middle attacks.
- Build mobile applications (specific to each ecosystem) into the device – in addition to any vendor-provided or recommended apps.
Those are great recommendations, for smartwatches or any other mobile device. But many popular smartphones also have security issues, and for now they are in vastly wider usage than smartwatches. For now, at least, that's where I'd focus my security efforts, wouldn't you?