Cybersecurity Snapshots #20 - Are Smartwatches Secure?

Cybersecurity Snapshots #20 -

Are Smartwatches Secure?

Smartwatches have become extremely popular, and the number of people using smartwatches is expecting to keep growing long into the future. According to a study by Acumen, the global smartwatch market is anticipated to grow at a CAGR of around 20.1% during the forecast period 2020 to 2027 and to reach around US$ 88.7 Billion by 2027. But just how secure are smartwatches?

In 2015, a report by the IT security firm Trend Micro highlighted a potential smartwatch cybersecurity oversight: the physical protection of sensitive data. The researchers analyzed smartwatches from significant providers like Apple, Samsung, Motorola, LG, Sony, Asus, and Pebble. Through their study, they were able to determine that each smartwatch's physical protection (i.e. how secure they are if stolen) wasn't up to scratch, stating that each manufacture "opted for convenience" over security. The researchers criticized the oversight at the time and said that while a lack of authentication features made devices easier to operate, the risk of having personal and corporate data compromised was far too great to overlook. The researchers also highlighted the fact that smartwatches save data locally when they're out of range from their connected smartphone. This means that if the smartwatch is stolen and does not have any physical data protection method in place, the thief would be able to access all the data saved onto that device instantly.

Researchers at Kaspersky looked at whether smartwatch movements could be used to reveal passwords and other personal information. The researchers worked with an Android-based smartwatch and wrote a dedicated app that was able to process and transmit accelerometer data which is a type of data that smartwatches monitor to determine a user’s movement. From this, the researchers were able to trace whether the wearer was sitting or walking and, thanks to the GPS tracker contained inside, where exactly they were located at the time. The researchers were also able to determine when somebody was typing at a computer and what the user was writing after repeatedly analyzing the accelerometer data. When a user typed in the same password over and over again, the smartwatch's accelerometer would move in a similar way, making it easier to determine which keys they were typing. The researchers concluded that smartwatch hackers can work out computer passwords and PINs. The researchers stated that smartwatches are not the easiest devices to hack, but they definitely can be hacked by adversaries with enough persistence and dedication.

Security researchers at the Norwegian Consumer Council (NCC) looked at how secure certain smartwatches explicitly made for children were. NCC researchers looked at four smartwatch models (Gator 2, Tinitell, Viksfjord, and Xplora) and found that they can give parents a false sense of security. Some features, such as the SOS and the geofencing alerts, didn't work reliably. And, most worrying of all, through simple steps, strangers could take control of the smartwatches. Given the lack of security in the devices reviewed, eavesdroppers could listen in on a child, talk to them behind their parent's back, use the watch's camera to take pictures, track the child's movements, or give the impression that the child is somewhere other than where they really are. The researchers also found that several of the watches also transmit personal data to servers located in North America and East Asia, in some cases without using encryption. In one of the smartwatches, knowing a user's phone number would allow an attacker to gain full access to the device. In another watch, the researchers inadvertently came across sensitive personal data belonging to other users, including location data, names, and phone numbers. Another one of the watches allowed the researchers to pair an existing gadget with a completely new account, enabling them to see user data, including the watch's current location and location history and contact phone numbers in the account, all without notifying the watch user.

In another study, researchers at the Münster University of Applied Sciences in Germany tested the security of six brands of smartwatches marketed for kids. The smartwatches focused on were sold by JBC, Polywell, Starlian, Pingonaut, ANIO, and Xplora. These smartwatches were designed to send and receive voice and text messages and let parents track their child's location from a smartphone app. The researchers found that hackers could abuse those features to track a target child's location using the watch's GPS in five out of the six brands of watch they tested. Several of the watches had even more severe vulnerabilities, allowing hackers to send voice and text messages to children that appear to come from their parents, to intercept communications between parents and children, and even to record audio from a child's surroundings and eavesdrop on them. The Münster researchers shared their findings with the smartwatch companies but say that several of the bugs they disclosed have yet to be fixed.

Smartwatches can vary substantially in terms of both quality and sophistication. Therefore, a consumer tends to get what they pay for. Higher-end products will typically have a much greater resistance to cyber threats than lower-end alternatives. Since smartwatches contain valuable information about users, it is essential for the device's security to be taken seriously among manufacturers and users. To keep a smartwatch as protected as possible from adversaries, the user should make sure to change their unlock code frequently and update their software whenever a new bug or operating system update is released.