All smartwatches are vulnerable to cyber attacks, HP study finds

HP believes test of 10 smartwatches is a good indicator of current security posture of all smartwatch devices

Smartwatches are open to cyber attacks after a new report found significant security vulnerabilities in all smartwatches that were tested.

The study was conducted by HP Fortify, using manual testing as well as automated tools to test how secure 10 smartwatches, along with their Android and iOS cloud and mobile application components were.

HP did not reveal which smartwatches were tested.

The study found that every smartwatch tested was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after three to five password attempts. Two of the devices could even be paired with a different phone with ease if they were stolen.

Three of the watches were vulnerable to "account harvesting", meaning that an attacker could gain access to the device and the data stored on it through a combination of a lacklustre password policy and a weak attempt at locking out accounts.

The study found that while all products tested had implemented transport encryption using SSL/TLS, 40 per cent of cloud connections continue to be vulnerable to the Poodle attack, allow the use of weak cyphers, or still used SSL v2.

The majority (70 per cent) of devices had problems with protection of firmware updates, including transmitting firmware updates without encryption.

"While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analysed," it said.

Other issues included insecure interfaces and privacy concerns.

"All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern," HP said.

HP said that the study was representative of the smartwatch market as a whole.

"While there are certainly a fair number of smartwatch devices already on the market, and that number continues to grow, HP believes the similarity in results of the 10 smartwatches provides a good indicator of the current security posture of smartwatch devices," it said.

It urged consumers to ensure they don't enable sensitive access control functions on their smartwatches, such as car or home access, unless there is "strong authorisation", and advised them to use strong passwords.