Smart Watches Fail the Data Security Test

Written by

The perils of allowing wearables in the workplace were highlighted again today in new research from Trend Micro which uncovered security and privacy issues with some of the biggest brand smart watches on the market, including the Apple Watch.

The security giant commissioned First Base Technologies to test the devices based in three areas: device protection; data connection; and local data storage.

There were seven smart watches in total – the Motorola 360, LG G Watch, Sony Smartwatch, Samsung Gear Live, Asus ZenWatch (all Android-based), plus the Pebble and Apple Watch.

All devices were monitored in their default state with no third-party apps installed. They were upgraded to the latest OS version, and paired with the iPhone 5, Motorola X (2013) and Nexus 5.

The report claimed physical device protection was poor on all the smart watches reviewed, with authentication not enabled by default on any of them.

What’s more, Android smartphones can use ‘trusted’ Bluetooth devices like the watches for authentication – so if they’re connected to the watch they will not engage the lock screen.

This means that if the phone and watch were stolen together, a thief would have full access to both devices.

Also concerning was that all devices tested kept local copies of data which could be read through the watch interface. This means that if any of the smart watches were stolen then all synced data would be accessible to the thief.

The Apple Watch was particularly exposed by storing much more data than the other devices – including contacts, emails, calendars, pictures, fitness data and Passbook entries. Passbook-stored cards can even be used to make payments.

However, Apple did win back some security points by being the only device to have a timed lock-out facility and a device wipe option after a set number of failed log-in attempts.

On the plus side, all of the watches tested used Bluetooth encryption and TLS over WiFi to ensure secure data in transit.

“Currently smartwatches do not allow the same level of interaction as a smartphone; however it is only a matter of time before they do,” the report claimed. “Having unprotected devices with full access to personal data is a serious risk.”

Wearables are an increasing concern to enterprise IT managers keen not to repeat the early mistakes of BYOD.

Separate Trend Micro research found that 69% of UK staff bring their wearables to work, but a third of IT pros surveyed said they were worried about the influx.

Nearly three-quarters (73%) said businesses need to introduce a specific wearable security policy.

Trend Micro cybersecurity consultant, Bharat Mistry, told Infosecurity that IT managers need to consider use cases before allowing smart watches to store corporate data.

“By 'use cases' I mean look at the applications which will be accessed and also the sensitivity of the data and what is driving the need to access data from the smart watch. They can be used in a corporate usage policy that employees must sign up to before the device can be used to access corporate data,” he explained.

“Certainly based on the current research by Trend Micro, I would suggest IT managers hold back adopting smart watches for corporate use until better controls – such as encryption of data at rest, the use of stronger authentication, and auto-timeout and remote wipe capabilities – are introduced.”

What’s hot on Infosecurity Magazine?