Hewlett-Packard is on a mission to raise awareness about insecure configurations and practices in the emerging Internet of things landscape. The latest target for HP's research is the smartwatch, which, like all the other types of IoT devices HP has looked at thus far, is lacking when it comes to proper security.
HP first began to publicly discuss its IoT research in July 2014 when it identified common vulnerabilities across 10 popular IoT devices. That research was followed up this February with a report on IoT home security devices that were also found to be insufficiently secured. Now HP has found that many of the same types of vulnerabilities in other classes of IoT devices are also in smartwatches, including weak authentication and lack of encryption, according to Daniel Miessler, practice principal at HP Fortify.
HP provides details of its smartwatch security analysis in a new report that examines 10 popular smartwatches. As was the case with the two prior HP IoT studies, there are no specific vendors or products mentioned in the report.
"A lot of the watches are part of an ecosystem including a mobile and a cloud component, and they often ask for the user to input personal data," Miessler told eWEEK. "We found that a lot of that personal information is being sent to multiple locations." He said that information could be sent to five or six locations, including advertising and analytic networks.
In addition, the watches that had cloud components were found to have weak password schemes, enabling HP's researchers to use brute-force attacks to gain access to the applications.
"The watch communications themselves were easy to intercept in 90 percent of cases," Miessler said.
One particular area of weakness is software updates for the smartwatches. HP found that 70 percent of the tested smartwatches did not perform the software updates with encryption. As a result, smartwatches are open to the risk of a man-in-the-middle attack that could intercept the communications and potentially load malicious firmware.
In addition, HP reported that only 50 percent of the tested devices had the ability to lock themselves after a specific amount of time.
"So if you left the watch on a table, only half shut down and locked the screen to keep someone from just logging into it," Miessler said.
One area of smartwatch security that HP looked at but didn't find any specific issues with is Bluetooth, which is an important finding, since many smartwatches today are tethered to mobile devices by way of Bluetooth. In a future report, HP might look deeper at the various protocols used to connect smartwatches, he added.
In general, the security issues HP found with smartwatches aren't all that unique, according to Miessler.
"We're seeing the same things over and over again. With smartwatches we're seeing the same security issues we're seeing with other IoT devices," Miessler said. "These are similar vulnerabilities to what we see in mobile, and what we see in Web security too."
The big risk with smartwatches, however, is the use case, which could enable an attack. Miessler noted that smartwatches are inherently personal devices that are now being used to enable access to different things such as buildings or cars, for example.
"Watches are very close to the person, and the more vulnerability you have, the more risk that is going to be present," he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.