Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP: Smartwatches Are a Major Security Risk

Posted by samzenpus on from the protect-ya-neck dept.

Mickeycaskill writes: Researchers at HP Security discovered "significant vulnerabilities" in every single smartwatch they tested, claiming they pose a major security risk for users. The team is concerned by an apparent lack of authorization and authentication provisions, encrypted firmware updates and protection for personal data. When coupled with poor password choices, HP says wearables are as much a target for cyber criminals as muggers on the street. "As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks," said HP's Jason Schmitt.

4 of 98 comments (clear)

  1. Re:Original Report by Anonymous Coward · · Score: 3, Insightful

    Nice try, I still had to click "get the report" another 2 times

    http://go.saas.hp.com/l/28912/2015-07-20/325lbm/28912/69038/IoT_Research_Series_Smartwatches.pdf

    No brands or concrete data mentioned. This is a garbage report. They should have at least detailed which models had which problems. Instead we get nothing of value.

  2. Translation: by jpellino · · Score: 4, Insightful

    We don't make one of these amazing things, so you shouldn't have one of these scary things.

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  3. Which is why you don't let this stuff connect... by Karmashock · · Score: 3, Insightful

    ... the company servers if you give a shit about security.

    The whole BYOD argument has been debated to death. Point is there are two camps here.

    Camp 1 says "No, because security" and Camp 2 says "Yes, because I'm lazy and like my toys."

    Did I strawman camp 2? Sure. They'll actually say stuff like "we can secure our systems. But there is overwhelming evidence to the contrary. And if you ask them why they don't want to use the company provided blackberries or something they'll say "well I don't want to bring two phones" or "I can't install my apple shit on this thing" or whatever. Which means the security is being compromised for convenience and toys.

    Now is there some hidden agenda in Camp 1? I mean, I just talked a lot of shit about camp 2... is there something off with camp 1? I can't see it. I'm a fully paid up card carrying member of camp 1. So maybe I just can't see it because I'm too close to it. You tell me. But I don't think there is a hidden agenda with camp 1. Camp 1 says "we cannot secure your private shit phone and thus giving it access to the VPN etc is a stupid idea and we're not doing it."

    So the stupid watches for the BYOD phones are an additional security vulnerability? Okay.

    Who's problem is that? Not camp 1's problem because they're not going to let you use that shit with the company phone anyway. Problem fucking solved. *brushes rhetorical dirt off hands and goes off to lunch*

    Camp 2 however has more problems to deal with and it is never going to stop. And the thing is that no organization either can or will even choose to try to keep up with all this shit. They'll make efforts to close the most glaring issues but that's about it. Which means those systems will be what they've always been... wide fucking open. And that predates the whole BYOD thing. Some organizations do what is required to secure the systems and some basically jerk off into their coffee and call it cream.

    Here is what "I" need for the stupid watches to be acceptable. I need to be able to control the encryption between the phone and the watch. And then I need to be able to lock those parameters into the phone so that they can't be changed by the user or some fucking program you install from the marketplace/appstore that says in the long list of permissions "oh yeah, fuck your security". And then I need to be able to control what is passed between the phone and the watch. Apparently these things are set up to pass EVERYTHING. And that's adorable and stuff but clearly that has to be scaled back to something less deranged.

    There are so many problems with this stuff. I appreciate the makers are pushing this for idiot consumers and that they are going for looks and functionality etc and security isn't even on the radar.

    And that is FINE... for a toy. But any company that lets that crap have access to their servers deserves what ever happens.

    No pity.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  4. Re:Which is why you don't let this stuff connect.. by Anonymous Coward · · Score: 5, Insightful

    The problem with camp #1 is they, in many cases, utterly fail to provide the tools necessary for people to do their jobs efficiently, which is why people want to bring their own.

    Mind you, it's not necessarily the boots on the ground (but rather the generals) for camp #1 causing the problem, but is is camp #1's problem.

    (by the way, I have been in both camps in various parts of my career)