by Bharat Mistry
According to a new piece of research we conducted with First Base Technologies, the security features on some of the market’s most popular smartwatches have been found to be poor.
Our study, which revealed security flaws in all six of big brand smartwatches on the market, stress-tested devices on physical protection, data connections and information stored to provide definitive results on which ones pose the biggest risk to consumers.
Android-based devices in the study included the Motorola 360, LG G Watch, Sony Smartwatch, Samsung Gear Live and the Asus Zen Watch; as well as the Apple Watch and the Pebble wearable – which run on their own operating system. All devices were upgraded with the latest OS version at the time of testing and paired to the iPhone 5, Motorola X and Nexus 5.
Physical device protection across all smartwatches was found to be poor, with no authentication via passwords or other means being enabled by default. This would enable free access if the wearable was stolen. All devices apart from Apple Watch, failed to contain a timeout function, meaning that passwords had to be activated by manually clicking a button.
Despite having better security features than its Android or Pebble rivals, the Apple Watch contained the largest volume of sensitive data. All of the tested smartwatches saved local copies of data, which could be accessed through the watch interface when taken out of range of the paired smartphone. This means that anyone who compromised the wearable would have access to this data. All of the devices stored unread notifications, except the Pebble, as well as fitness and calendar data. The Apple Watch stored the most data of all, with images, contacts, calendars and passbook data, which can store information such as plane tickets, all being stored locally.
Across all of the smartwatches that were tested, it is clear that manufacturers have opted for convenience at the expense of security. On the surface, a lack of authentication features can make devices appear easier to operate, but the risk of having personal and corporate data compromised is much too big of an issue to forget about.
The Apple Watch was the sole wearable which allowed a wipe of the device after a set number of failed login attempts; leaving the other devices open to brute force attacks. The trusted devices feature on Android, which removes the need for a smartphone password when in proximity to a verified device, means anyone with both a smartphone and smartwatch could potentially have unrestricted access to both devices.
We will be discussing the security of wearables, Internet of Everything, hacking, enterprise security and more at CLOUDSEC in London, 17th September. For more info visit: http://www.cloudsec.com/uk
More resources on wearables security including videos and research: http://www.trendmicro.co.uk/wearables