U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

All Smartwatches on the market are vulnerable to attacks

A study conducted by HP’s Fortify on security features implemented by Smartwatches revealed that not even a single device found to be 100 percent safe. Today we talk about a great passion of mine, watches. Let me tell you that I’m not attracted by Smartwatches, I consider watches and their gears a work of art […]

All Smartwatches on the market are vulnerable to attacks

A study conducted by HP’s Fortify on security features implemented by Smartwatches revealed that not even a single device found to be 100 percent safe.

Today we talk about a great passion of mine, watches. Let me tell you that I’m not attracted by Smartwatches, I consider watches and their gears a work of art like a painting.
Having said that, today I’ll present you the disconcerting results of a study conducted by the HP’s Fortify firm on the security of Smartwatches.

According to experts at HP, almost every Smartwatch available on the market is vulnerable to cyber attack , including the popular Apple Watch and Samsung Gear.

The HP Fortify tested security features implemented by 10 of the top smartwatches currently on the market. HP has verified the presence of vulnerabilities listed on the OWASP Internet of Things Top 10, 100 percent of wearable devices contained at least one security issue that open them to cyber attacks.

The most common security issues reported by HP include:

  • Insufficient User Authentication/Authorization: Every smartwatch evaluated was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts. Three out of ten smartwatches lacked to implement Two-Factor authentication, or the ability to lock accounts after 3 to 5 failed password attempts exposing users to data harvesting.
  • Lack of transport encryption: Despite 100 percent of the products implemented transport encryption using SSL/TLS, 40 percent of them establish insecure connections to the cloud being vulnerable to the POODLE attack.
  • Insecure Software/Firmware: 70 percent of the evaluated smartwatches lack to protect firmware and validate its updates that were transmitted over unsecure connections and without encrypting the update files. Fortunately, many updates were signed to help prevent attackers sent malicious updates, for example by running MITM attacks.
  • Insecure Interfaces: Three out of ten smartwatches used cloud-based web interfaces that were vulnerable to account harvesting. These interfaces don’t implement mechanisms to limit login attempts and in many cases help hackers guess passwords.
  • Privacy Concerns: All smartwatches fail to protect user personal information, including name, address, date of birth, weight, gender, heart rate and other health information.
smartwatches study

The Study highlights the need of a new approach in the design of smart devices that consider security requirements as crucial requirements to implement. Manufacturers have to pay closer attention to the customers’ security to the risks related to cyber attacks.

“Despite their current limited footprint, smartwatches will likely replace smartphones as a convenient way to control communication and manage daily tasks. As watches become a common part of our daily workflow, we will likely use them for increasingly sensitive tasks like gaining access to our front door at home, entering and turning on our cars, and paying for purchases both in person and online.” concludes the study published by HP. “Whether using a health application, financial, or even gaming application, HP was able to intercept and detect the sensitive data being routed to multiple locations on the Internet.”

HP confirmed that it would not disclose the names of smartphone manufacturers of the devices it evaluated, but they are working with vendors to “build security into their products before they put them out to market.”

Pierluigi Paganini

(Security Affairs – Wearable devices, hacking)