{"id":77809,"date":"2015-08-11T22:55:12","date_gmt":"2015-08-12T02:55:12","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2021-08-08T20:09:22","modified_gmt":"2021-08-09T00:09:22","slug":"smartwatches-not-ready-for-primetime","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/smartwatches-not-ready-for-primetime\/","title":{"rendered":"SmartWatches – Not Ready for Primetime"},"content":{"rendered":"

\"SmartWatches<\/a>Pundits predict that Apple iWatch<\/a><\/strong> sales will surpass iPad <\/strong>first-year sales. The experts expect<\/a> Apple to sell 21 million watches in fiscal 2015. Many believe that the iWatch will drive wearable tech into the enterprise. With this kind of hype, security vendors have started to take a look at iWatch and other smartwatches.<\/p>\n

\"wearable<\/a>FierceMobileIT<\/em> reports<\/a>\u00a0that just in time for BlackHat<\/a>, MobileIron<\/a><\/strong> released a report<\/a>\u00a0looking at the security risks<\/strong> smartwatches pose to corporate data. According to the enterprise mobility management<\/a> firm, workers are increasingly using smartwatches<\/strong> to connect wirelessly to their smartphones and access corporate email<\/strong>, calendar, contacts, and apps.<\/p>\n

MobileIron looked at\u00a0the security of smartwatches that can be paired with iOS<\/a> and Android<\/strong> smartphones accessing enterprise resources as well as the pairing apps on the smartphones. The author says the EMM vendor analyzed the\u00a0Apple<\/a> (AAPL<\/a>) Watch<\/a>, Motorola Moto 360<\/a>, Samsung<\/a>\u00a0(005930<\/a>) Gear 2 Neo<\/a>, and Shenzhen Qini U8.<\/a><\/p>\n

\"MobileIron<\/a>The Qini U8 had a pairing app that displayed some “suspicious behaviors<\/strong>” that could pose a risk to personally identifiable data such as access to downloaded and cached content and phone hardware data, judged MobileIron. The pairing app was downloaded from an unknown IP address in China and not the relative safety of the official Google Play store<\/a>, which scans apps from malicious traits.<\/p>\n

Another security concern noted in the article is the implementation of passcodes<\/strong> on smartwatches. Smartphone passcodes are usually time-based so that if the device is not used within a certain time period, the device is locked and access requires entering the passcode.<\/p>\n

Smart\"Disck<\/a>watch passcodes examined by MobileIron are proximity-based<\/strong>\u00a0so that the device is locked when the smartwatch loses wireless connection with the smartphone. However, only the Apple Watch prompted the user to set up a passcode, suggesting that many users of the other smartwatches do not enable the passcode option<\/strong>.<\/p>\n

In addition, smartwatches do not have enterprise mobility application<\/strong> programming interfaces to do policy enforcement on the devices. The Apple Watch stood out in terms of security by wiping enterprise apps from the device when its companion iPhone is quarantined or retired and the enterprise apps are removed from the phone.<\/p>\n

\"smartwatchesIn terms of data encryption, there is no encryption<\/strong> on the Shenzhen Qini U8, while it is optional at the app level for the Motorola Mobility Moto 360 and the Samsung Gear 2 Neo. For the Apple Watch, encryption is enabled for the data on the watch and optional at the app level. The MobileIron report concluded,\u00a0“As enterprises embrace these devices for enterprise applications … \u00a0we expect smartwatch vendors to place an even stronger emphasis on security.”<\/em><\/p>\n

Not only has MobileIron recently scrutinized smartwatches so has HP. HP’s Fortify<\/strong> security unit tested 10 different smartwatches and found that all of them were vulnerable to cyberattacks.<\/p>\n

HP<\/a> (HPQ<\/a>) did not say which brand of smartwatches it tested. However,\u00a0FierceITSecurity<\/a><\/em>\u00a0reports<\/a> that HP did test the devices and their Android and iOS cloud and mobile app components, indicating that the Apple Watch was one of those tested.<\/p>\n

HP Fortify<\/strong> found that all the smartwatches they tested were insecure<\/strong>. Jason Schmitt, general manager of HP security at Fortify said<\/p>\n

\"HP<\/a>[Smartwatches] … will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks\u00a0<\/em><\/p>\n

HP combined manual testing and automated tools to check the devices against the open web application security project’s Internet of Things Top 10 security risks<\/a>. HP found that data collected on the smartwatch was often sent to multiple backend destinations (often including third parties). The researchers used HP’s Fortify on Demand to find many more smartwatch\u00a0vulnerabilities<\/a>\u00a0(PDF, reg. req).<\/p>\n