How strong is your smartwatch's data security?
In a society where health and wellness are no longer buzzwords but real things people have adopted as part of a balanced lifestyle, we need devices that keep us aware and informed – to be the catalysts that drive us to action. But while the Internet of things (IoT) has allowed smart wearables to become commonplace in today's households and workplaces, big adoption can spell bigger risks for data security.
Since it's popular opinion pushing the sales of smart wearables to new heights, ISACA (previously known as the Information Systems Audit and Control Association) surveyed 1,001 employed consumers of connected devices in the UK. The results showed that around 60% of respondents proactively tried to manage the privacy and data security settings on their devices but only 36% felt that information gathered on their smartwatches (and 29% on their smart glasses) was private. Only 21% thought their smartwatches were actually secure.
First, the bad news
Inadvertently confirming popular opinion, HP went ahead and conducted a study on ten popular iOS and Android-based smartwatches. They found "...numerous security concerns..." on these devices while performing a battery of security tests (known as HP Fortify). Here are some of the most noteworthy problems found:
- Insufficient user authentication. Things like limits on the number of failed password attempts and two-factor authentication were found lacking in 3 devices.
- Network vulnerability. Four in ten devices still used the POODLE-vulnerable SSL v2 encryption ciphers.
- Insecure interfaces. Since 3 of the devices had cloud access, the mechanism used here would allow hackers to determine which cloud accounts were valid by using the "reset password" procedure.
- Insecure software/firmware updates. Seven in ten devices showed vulnerability in that their software and firmware updates were not encrypted allowing eavesdroppers to download and analyse them.
- Exposed personal details. The lack of data security mentioned above raises the risk of exposing personal details gathered by the devices, such as names, addresses, dates of birth, and notably health and fitness information.
Now the good news
Strides are being made with developing better data security legislation in the EU. The rights of the individual are in focus and how their personal information is to be protected. The Data Protection Directive (95/46/EC) has been blamed for being outmoded, which has sparked the need for legislation that better considers the nature of connected devices in the IoT.
Although currently a work in progress, the new General Data Protection Regulation (GDPR) will elaborate on aspects of the existing Directive but will supersede it, once it's adopted by as early as 2016. Among other things, it aims to address the wearable device sector with better descriptions of what constitutes private data, how said data can be collected, and in what form it should be transmitted, if at all.
But in the meantime
There are some things you can do to protect yourself. HP had the following recommendations to help consumers from falling victim to bad data security:
"... that users do not enable sensitive access control functions such as car or home access unless strong authorization is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data."
So, while you look good doing that thing you do with your snazzy smartwatch, take care of your devices and their data as much as you take care yourself.