An analysis of 10 of the top-selling smartwatches finds serious privacy and security concerns, including a finding that data collected on many of the watches and passed through an app can easily make its way to third parties.
The analysis, conducted by HP and Fortify on Demand, calls the results "disappointing, but not surprising," an indicator that the smartwatch market has a ways to go before it's adopted by the healthcare industry as a reliable means of collecting consumer health data.
"We continue to see deficiencies in the areas of authentication and authorization along with insecure connections to cloud and mobile interfaces," the report states. "Privacy concerns are magnified as more and more personal information is collected (including health information). Issues with the configuration and implementation of SSL/TLS that could weaken data security were also present."
Along with the concern that data can be easily send to third parties, the analysis of the smartwatches and their paired iOS or Android connections found:
- Communications were easily intercepted 9 out of 10 times;
- 70 percent of the data passed through a watch wasn't encrypted;
- Only half of the watches offered the ability to lock the screen;
- Watches with cloud interfaces often allowed weak passwords;
- Watches that allow a mobile app with authentication also allowed unrestricted account enumeration.
In addition, the study found that 30 percent of the time, due to a combination of account enumeration, weak passwords and no lockout capabilities, hackers could easily practice what's known as "account harvesting" - guessing log-in credentials to access a user's account.
In their conclusion, the study's authors argue that while smartwatches aren't prevalent, they "will likely replace smartphones as a convenient way to control communication and manage daily tasks," and with that popularity will come more opportunities to abuse that access.
See also:
Latest Apple Watch tuned for home health monitoring
