Wearables May Be Vulnerable to Cyberattack
August 3, 2015
As the Internet of Things becomes more prevalent in our society, data security becomes more of a hot-button issue.
The most recent device to take the spotlight is wearables (e.g. smartwatches and health and fitness monitors). This technology records and transmits sensitive information about the wearer and can connect with mobile apps and devices. As the functionality of these devices advance and the market grows, so do the associated risks.
HP just revealed the results of a recent study assessing the security of wearables, in particular smartwatches, and concluded that they are vulnerable to cyberattack. An attack on these devices could give criminals access to an individual’s location-tracking information, making a home invasion easier to execute.
A burglar broke into a home and attempted to steal $300,000 in jewelry, purses, wallets, luggage, coins, and fur coats after tracking the whereabouts of the homeowners using GPS technology. If it were not for a neighbor who witnessed the break-in, the culprit could have escaped with the stolen property.
Key takeaways from the study include:
- Data collected initially on the watch and passed through to an application is often sent to multiple backend destinations (often including third parties).
- Watches that include cloud interfaces often employ weak password schemes, making them more susceptible to attack.
- Watch communications are trivially intercepted in 90% of cases.
- Seventy percent of watch firmware was transmitted without encryption.
- Fifty percent of tested devices offered the ability to implement a screen lock (PIN or Pattern), which could hinder access if lost or stolen.
- Smartwatches that included a mobile application with authentication allowed unrestricted account enumeration.
- The combination of account enumeration, weak passwords, and lack of account lockout means 30% of watches and their applications were vulnerable to Account Harvesting, allowing attackers to guess login credentials and gain access to user account.
What can you do to protect yourself?
The software vulnerabilities need to be addressed by the manufacturers but until then, you can perform these simple safety precautions to help reduce your risk:
- Use a screen lock or password to prevent unauthorized access to your device.
- Do not reuse the same user name and password between different sites.
- Use strong passwords. Be sure to use a combination of letters, numbers, symbols, and cases that cannot be linked to your personal life (such as the use of a birthday or family name).
- Turn off Bluetooth when not required or when the device is not being used.
- Be wary of sites and services asking for unnecessary or excessive information.
- Be careful when using social sharing features, specifically if it discloses your location. Letting the world know that you are somewhere far from home can open up the risk for burglary.
- It’s recommended that users do not enable sensitive access control functions such as car or home access unless strong authorization, such as multifactor authentication, is offered.
- Read and understand the privacy policies of apps and services. It is important to know what information is protected and what information is shared and easily accessible. Avoid apps that do not display privacy policies prominently.
- Install app and operating system updates as they become available. These often include security updates based on current threats.
- Use a device-based security solution if available, such as a mobile device management tool that helps you manage and protect the data on connected devices through passwords and encryption. Use full-device encryption if available.
To learn more about cybersecurity and additional ways you can protect yourself and your family, visit the Cyber Knowledge Center and download our white paper.
For PURE members who have questions or concerns about cybersecurity, contact a PURE Member Advocate® at firstname.lastname@example.org or (888) 813-7873.