Skip to main content

Surprise! Smart Watches Have Dumb Security

How many popular smart watches feature sub-par security? Maybe all of them.

A new study conducted by Hewlett-Packard researchers took 10 of the most popular smart watches on the market and ran them through a gamut of tests to evaluate how susceptible they were to common cyberattacks. HP found that every smart watch tested fell victim to at least one major security flaw.

HP did not share the exact models of the smart watches it tested, as it wants to notify manufacturers before word gets out to the general public. The company shared its findings in a short research paper, in which the researchers described their methodology and results.

MORE: Best Smart Watches

HP ran each smart watch through a series of manual and automated tests that evaluated the device based on the Open Web Application Security Project Internet of Things Top 10 protocols. These shortcomings include "insecure Web interface," "insufficient authentication/authorization," "lack of transport encryption," "privacy concerns," "insecure software/firmware" and "poor physical security."

HP discovered that 70 percent of smart watches accepted firmware updates without encryption. This could allow a man-in-the-middle attacker to attach malicious files to an update and wreak havoc with a user's smart watch.

Two of the 10 devices accepted any pairing request, meaning that a potential thief could pair them with his or her own smartphone. Only half of the smartwatches offered a PIN or password screen lock; the other half would always leave a user's private information totally vulnerable on a stolen watch.

Encryption turned out to be a problem for nearly half of the smart watches tested. While every device used some form of encryption, 40 percent of them were susceptible to the POODLE attack, which can crack through SSL or TLS encryption. This could prove hugely problematic, as smart watches collect some of a user's most personal health data.

In fact, privacy concerns were found in every smart watch HP tested. Every single device recorded, and revealed, a user's name, address, birthdate, weight and gender, while 70 percent of them also gave out information about a user's heart rate. In conjunction with the lack of password screen locks and the POODLE vulnerabilities, this means that a dedicated cybercriminal could find out a lot of information about a user without resorting to extraordinary measures.

At this time, HP does not have any specific recommendations for users who own smart watches, nor does it advise new consumers whether to buy them or to hold off. The company points out that since the technology is new, security will likely evolve to keep pace with adoption.

However, smart watches are clearly not off to an auspicious start, and short of using the limited security measures already in place, there does not appear to be much that users can do to defend themselves.

Marshall Honorof is a senior writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.