back to article All smartwatches are insecure, reveals unsurprising research

A study by Hewlett Packard (HP) has revealed that a hefty 100 per cent of smartwatches contain significant security vulnerabilities. As part of HP's extended shuftie over the Internet of Things thing, the company has unveiled a new report (PDF) in which it confirms that wristjob wearing wallies are even wider open to …

  1. Anonymous Coward
    Anonymous Coward

    "transmitting updates without encryption"

    is not a security flaw - as long as the updates themselves are cryptographically signed.

    Which is the watch with a built-in DNS server? That's the one I want to have :-)

  2. h4rm0ny

    Really?

    Because there's not a single reference in the report to the Microsoft Band. In fact the report doesn't even list what devices they tested, it just says it samples ten smartwatches. So is it in there or not? It's certainly a smartwatch.

    Perhaps El Reg could drop them a line and find out what devices HP actually tested and what the results were, rather than just throw up a far from proven headline about 100% of smartwatches. I mean are there four different Android watches in there? Should they really be treated as separate? Are there marked differences in the number of vulnerabilities? Did the iWatch fail six categories and a rival fail only one? Not all the categories are equal as the first poster on this article illustrates quite nicely. El Reg should AT LEAST get a list of which devices were assessed.

    1. dogged

      Re: Really?

      This author's last missive - the one where the NSPCC claim that 101 nonces jailed is 2 per day over a year - shows form for simply regurgitating press releases.

      I wouldn't hold your breath waiting.

    2. returnmyjedi

      Re: Really?

      They don't mention a single device by name, so it's unclear whether they included the Band, Apple Watch, Motorola 360 etc etc.

      However I have found that ten of the leading microwaves are little more than a twirly wheel and a bag of glowworms. FACT.

    3. Me too

      Re: Really?

      Looks like the Band probably wasn't tested - From the Research Findings in the document:

      "HP reviewed 10 popular smartwatches along with their paired Android or iOS mobile device and application."

      Now, I know the Band can easily pair with both Android and iOS, but surely in a security test, you'd pair it with its "native" OS as well. Wouldn't you HP?

      1. h4rm0ny

        Re: Really?

        >>"Now, I know the Band can easily pair with both Android and iOS, but surely in a security test, you'd pair it with its "native" OS as well. Wouldn't you HP?"

        Well if they're truly testing the device itself, it shouldn't matter which they pair it with. For something multi-platform like the Microsoft Band, if it accepts weak encryption from Android it's still a flaw even if it defaults to something more secure with Windows Phone.

        Incidentally, if that's a dig at WP's popularity, plenty of them here in Europe. Come on El Reg - you ought to be able to at least get a list of which ten devices were tested if you're going to post a headline like that.

        1. Me too

          Re: Really?

          Not a dig H4arm0ny - no need to get so defensive. I know there are plenty of WP users, and not just in Europe - they're pretty popular in the sub-continent too. Of the people in my (European) office, we're evenly split between WP8.1 and Android, and I there are plenty of others scattered about the campus.

          For the record, I'm one of the users (and looking to stay so with a phone upgrade imminent), although my Band is the only one in the Office.

          On your other point, I do agree. Since the Band works on all three major platforms (does the Android app work in Sailfish?) it should have been tested on all three. However, since this is obviously a poor article regurgitating a poor press release announcing poor research, poorly done, I don't think it was a consideration.

    4. Anonymous Coward
      Anonymous Coward

      Re: Really?

      Watch (pun intended) out. Your post incorrectly mentioned the Watch currently being sold by Apple.

      The name you gave is trademarked to a different company.

      My mentioning it that way, you risk being sued for Trademark infringement.

      By continuing to describe the fruity device incorrectly, you are indirectly helping Apple in their lawsuit against the trademark holders. The holder have to ensure its uniqueness otherwise they will lose their claims to it.

  3. Anonymous Coward
    Anonymous Coward

    Spidey-senses tingling...

    HP about to bring out a smartwatch. It will be a flop.

  4. SuperNintendoChalmers
    Joke

    But what were they wearing?

    Afraid I just can't take this report seriously until I know if the people who compiled it where complying with the company dress code or not.

  5. Joel 1
    Facepalm

    This isn't a report

    They don't report on which devices they tested. They also don't even say if they tested the iWatch, just that they tested "10 of the top smartwatches" not the top 10 smartwatches. Did they test the Pebble? Did they test any of the Swiss Chronograph with smart functionality?

    This is PR guff and doesn't give any details which might allow you to draw some conclusions. They don't even say when they conducted the research, or which versions of the various OS's were used. Was the iWatch even released at this point?

    And the Reg article is shoddy as well - it says 100% of smartwatches have flaws. 10 is not 100%. A touch of sampling bias methinks as a minimum. Alexander Martin should be ridiculed in the same articles mocking the credulity of journalists reporting that Chocolate helps you lose weight.

    There might well be vulnerabilities across the board. I think someone should research this issue, as there doesn't appear to be any extant research published.

    Doh!

  6. This post has been deleted by its author

    1. JoshOvki

      Re: 60% of facts are made up

      I thought it was 64.3% of facts are made up?

      1. HildyJ

        Re: 60% of facts are made up

        On the other hand, 9 out of 10 studies show that 72.9168% of made up facts are true.

      2. Stevie Silver badge

        I thought it was 64.3% of facts are made up?

        You made that up.

        1. Anonymous Coward
          Anonymous Coward

          Re: I thought it was 64.3% of facts are made up?

          Abraham Lincoln said that almost all of the facts on the internet were made up.

          1. Anonymous Coward
            Anonymous Coward

            Re: I thought it was 64.3% of facts are made up?

            And Mark Twain said that anything that Abrham Lincoln said about facts on the internet was likely to have been made up.

  7. moiety

    In fairness a lot of these apps are about monitoring fitness. People who are prepared to broadcast live data like sleep stages, heartbeat etc. to foreign companies probably aren't overly concerned about security. Yet.

    1. werdsmith Silver badge

      They can hack my pebble if they wish, I am quite happy to expose everything it does publically as most of the stuff you can see on it is already on twitter in a more complete form. Or they could just look at twitter.

      I don't have many snowdenesque messages for them to be interested in.

      1. moiety

        Case in point. Security is expensive and if customers aren't bothered then manufacturers aren't going to volunteer for extra expense. Until something happens like...I dunno...burgling rings waiting until you're properly asleep before breaking in or something like that. By which point it'll be too late.

        1. werdsmith Silver badge

          I am bothered. I'm just careful where I leave important stuff. Smartwatch info is trivial only.

          Internal locus of control.

  8. David Roberts Silver badge
    Thumb Up

    Chocolate?

    "Alexander Martin should be ridiculed in the same articles mocking the credulity of journalists reporting that Chocolate helps you lose weight."

    But...but...chocolate does help you lose weight.

    As part of a calorie controlled diet of course.......

  9. TeeCee Gold badge
    Meh

    "a cultural allergy to crypto."

    Hmm. These are watches, right? So, small cases, bugger all capability to dissipate heat[1], tiny underpowered CPUs, small low-capacity batteries.

    You'd almost suspect that every CPU clock-cycle is a precious thing to be fought over, just like in old skool computing.

    [1] Worse still, any heating of the case is going to be noticed and vociferously complained about by its wearer.

  10. Stevie Silver badge

    Bah!

    The danger to the iWatch wearer is significant. Consider: you are minding your own business in one of the thirty seven Starbux near work and some yob hacks your timepiece and replaces the time display with a custom one. In a trice, An iSherrif leaps from behind the organic chocolate chip cookie display and slaps you, the innocent iFan, with an iSuppoena pending ruinous sueage.

    Oh the humanity!

  11. Henry Wertz 1 Gold badge

    Yes.

    "They don't report on which devices they tested. They also don't even say if they tested the iWatch, just that they tested "10 of the top smartwatches" not the top 10 smartwatches. Did they test the Pebble? Did they test any of the Swiss Chronograph with smart functionality?"

    How many "smartwatches" are on the market anyway? I would assume "Did they test xyz?" the answer would be yes, just because I didn't think there'd even be mroe than 10 models.... That said this whole "responsible disclosure" thing of not even naming and shaming vendors is crap IMHO.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019