London UK, 13th August, 2015 – Security features on some of the market’s most popular smartwatches has been found to be poor, according to new research from Trend Micro, in partnership with First Base Technologies.
The study, which revealed security flaws in all six of big brand smartwatches on the market, stress-tested devices on physical protection, data connections and information stored to provide definitive results on which ones pose the biggest risk to consumers.
Android-based devices in the study included the Motorola 360, LG G Watch, Sony Smartwatch, Samsung Gear Live and the Asus Zen Watch; as well as the Apple Watch and the Pebble wearable – which run on their own operating system. All devices were upgraded with the latest OS version at the time of testing and paired to the iPhone 5, Motorola X and Nexus 5.
Physical device protection across all smartwatches was found to be poor, with no authentication via passwords or other means being enabled by default. This would enable free access if the wearable was stolen. All devices apart from Apple Watch, failed to contain a timeout function, meaning that passwords had to be activated by manually clicking a button.
Despite having better security features than its Android or Pebble rivals, the Apple Watch contained the largest volume of sensitive data. All of the tested smartwatches saved local copies of data, which could be accessed through the watch interface when taken out of range of the paired smartphone. This means that anyone who compromised the wearable would have access to this data. All of the devices stored unread notifications, except the Pebble, as well as fitness and calendar data. The Apple Watch stored the most data of all, with images, contacts, calendars and passbook data, which can store information such as plane tickets, all being stored locally.
“Across all of the smartwatches that were tested, it is clear that manufacturers have opted for convenience at the expense of security,” Bharat Mistry, Cyber Security Consultant at Trend Micro commented. “On the surface, a lack of authentication features can make devices appear easier to operate, but the risk of having personal and corporate data compromised is much too big of an issue to forget about.
“Manufacturers must ensure that simple security features, such as limited password attempts, are enabled on devices by default. This considerably reduces the likelihood of data breaches. Smartwatch manufacturers must be cognisant of the fact they can slash data breaches by employing this best practice.”
“Although smartwatches are a relatively new technology, the same security issues that we’ve witnessed with smartphones are still present,” said Mike McLaughlin, Senior Penetration Tester & Technical Team Lead at First Base Technologies. “Google and Apple have added complex layers of encryption to their Bluetooth and wi-fi data connections; but if someone were to steal a watch without a password enabled, any data stored would be easily compromised. The biggest risk, as with all technology, is gaining physical access to the watch, and manufacturers should ensure simple features are in place to prevent this”.
The Apple Watch was the sole wearable which allowed a wipe of the device after a set number of failed login attempts; leaving the other devices open to brute force attacks. The trusted devices feature on Android, which removes the need for a smartphone password when in proximity to a verified device, means anyone with both a smartphone and smartwatch could potentially have unrestricted access to both devices.
About the research
The research was carried out in August 2015 by First Base Technologies and tested the security settings on the following wearable devices: Motorola 360, LG G Watch, Sony Smartwatch, Samsung Gear Live, Asus Zen Watch, Apple Watch and the Pebble.
More research & resources on wearables security including videos
About Trend Micro
Trend Micro Incorporated (TYO: 4704), a global leader in security software, strives to make the world safe for exchanging digital information. Our solutions for consumers, Trend Micro™ Smart Protection Network™ provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. Leveraging these solutions, organizations can protect their end users, their evolving data center and cloud resources, and their information threatened by sophisticated targeted attacks.
All of solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network™, and are supported by over 1,200 threat experts around the globe.
For more information, visit www.trendmicro.com/en_gb/. Or follow our news on Twitter at @TrendMicroUK.