< 1 min read

Security report finds DDoS attack-capable smartwatch among security vulnerabilities

MobilitySecurity & PrivacyHewlett Packard Enterprise Logo HP

A new study from HP on smartwatches has revealed significant lack of security features and encryption across the board.

Among the key findings, the report found that data collected by a watch is passed through multiple locations including third parties, and that as much as 90 per cent of it is “trivially intercepted.”

Meanwhile, there is a lack of firmware in 70 per cent of the cases, and in the interface, a lack of PIN or pattern requirement in up to half of the smartwatches evaluated.  Those that did did require it often failed to lock users out for failed attempts, leaving almost a third (30 per cent) of watches vulnerable to account harvesting.

“The results of our research were disappointing, but not surprising,” the report said. “We continue to see deficiencies in the areas of authentication and authorization along with insecure connections to cloud and mobile interfaces. Privacy concerns are magnified as more and more personal information is collected (including health information). Issues with the configuration and implementation of SSL/TLS that could weaken data security were also present.”

According to HP, the top 10 smartwatches evaluated from a hacker’s point of view, which also included their cloud interfaces, network posture, and more. In one instance, HP even found a running DNS service, “which allowed it to be used as part of a DNS amplification attack.”

In response, the company recommends that users enable security functionality such as lock screens, strong passwords and two-factor authentication. For enterprises, it recommends proper configurations of TLS implementations as well as building custom apps with stronger security.