Smartwatch Security Research

Similar documents
Ensuring the security of your mobile business intelligence

SAS Mobile BI Security and the Mobile Device

Ensuring the security of your mobile business intelligence

User Manual for HOT SmartWatch Mobile Application

EasiShare Whitepaper - Empowering Your Mobile Workforce

Tom Schauer TrustCC cell

ONE Mail Direct for Mobile Devices

Mobile Iron User Guide

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Securing Corporate on Personal Mobile Devices

Mobile Operating Systems & Security

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Why you need. McAfee. Multi Acess PARTNER SERVICES

Kaspersky Security for Mobile

EndUser Protection. Peter Skondro. Sophos

Jabber Client Update. February 2015 issue 0.6

AirWatch for Android Devices

BYOD: End-to-End Security

How can I protect against the loss of my ID if my device is lost or stolen?

The increasing popularity of mobile devices is rapidly changing how and where we

Mobile Device Management and Security Glossary

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Penetration Testing in Romania

FileCloud Security FAQ

IBM Endpoint Manager for Mobile Devices

When enterprise mobility strategies are discussed, security is usually one of the first topics

Security Architecture Whitepaper

Frequently asked questions

Use of tablet devices in NHS environments: Good Practice Guideline

Cisco Mobile Collaboration Management Service

Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

STRONGER AUTHENTICATION for CA SiteMinder

BLACKJACKING: SECURITY THREATS TO BLACKBERRY DEVICES, PDAS, AND CELL PHONES IN THE ENTERPRISE

AirWatch for ios Devices

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

ADDING STRONGER AUTHENTICATION for VPN Access Control

MOBILE BANKING USER GUIDE

2015 MDRT Annual Meeting e Handout Material. What is Your Smartphone Leaking?

Feature Matrix MOZO CLOUDBASED MOBILE DEVICE MANAGEMENT

Guidance End User Devices Security Guidance: Apple ios 7

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Internet threats: steps to security for your small business

Windows Phone 8.1 Mobile Device Management Overview

Smart Ideas for Smartphone Security

Oracle Mobile Security

3.1 Security Operations Centers. 3.2 Portal. 3.3 Services Contacts

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Securing mobile devices in the business environment

Reviewer Guide Core Functionality

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

PULSE SECURE FOR GOOGLE ANDROID

Nokia. udirect 2 Bluetooth pairing guide. Pairing and connecting udirect 2 with your Nokia cellular phone

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Secure Your Enterprise with Usher Mobile Identity

Apple Pay Questions & Answers

How To Use A Microsoft Mobile Security Software For A Corporate Account On A Mobile Device

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Securing Office 365 with MobileIron

Information Systems. Connecting Smartphones to NTU s System

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

Advanced Biometric Technology

Special Report. Choosing the right mobile device platform for your business

Corporate-level device management for BlackBerry, ios and Android

White Paper. The Principles of Tokenless Two-Factor Authentication

Bellevue University Cybersecurity Programs & Courses

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

WHITEPAPER BEST PRACTICES IN MOBILE APPLICATION TESTING

DIGITAL LIFE E-GUIDE How to Protect your Smartphone

PULSE APPCONNECT. A Micro VPN That Allows Specific Applications on Mobile Devices to Independently Leverage the Connect Secure Gateway.

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Bringing Mobile Payments to Market for an International Retailer

Securely Yours LLC We secure your information world. www. SecurelyYoursllc.com

Introducing BEEKS Proximity Solutions. Developer Kit Gets You Started

Google Identity Services for work

BYOD & MOBILE SECURITY

Apple Configurator MDM Site - Review

Mobile Testing Preparing for a fast-changing mobile world. Sudheer M, Practice Head - Mobility Testing and Automation

Transcription:

Smartwatch Security Research

Overview This report commissioned by Trend Micro in partnership with First Base Technologies reveals the security flaws of six popular smartwatches. The research involved stress testing these devices for physical protection, data connections and information stored to provide definitive results on which ones pose the biggest risk with regards to data loss and data theft. Summary of Findings Physical device protection is poor, with only the Apple Watch having a lockout facility based on a timeout. The Apple Watch is also the only device which allowed a wipe of the device after a set number of failed login attempts. All the smartwatches had local copies of data which could be accessed through the watch interface when taken out of range of the paired smartphone. If a watch were stolen, any data already synced to the watch would be accessible. The Apple Watch allowed access to more personal data than the Android or Pebble devices. All of the smartwatches we tested were using Bluetooth encryption and TLS over WiFi (for WiFi enabled devices), so consideration has obviously been given to the security of data in transit. Android phones can use trusted Bluetooth devices (such as smartwatches) for authentication. This means that the smartphone will not lock if it is connected to a trusted smartwatch. Were the phone and watch stolen together, the thief would have full access to both devices. Currently smartwatches do not allow the same level of interaction as a smartphone; however it is only a matter of time before they do. Having unprotected devices with full access to personal data is a serious risk. Devices Tested Motorola 360 (Android Wear) LG G Watch (Android Wear) Timeline Our research was conducted during July 2015. Sony Smartwatch 3 (Android Wear) Samsung Gear Live (Android Wear) Asus ZenWatch (Android Wear) Apple Watch (Watch OS) Pebble (Pebble OS) 2

Background We examined the watches in their default state with no third party apps installed. Users should note that installing third party apps could increase the vulnerability of any smartwatch. We paired the watches with iphone 5, Motorola X (2013) and Nexus 5. All watches were upgraded to the latest OS version at the time of testing (July 2015). Watch Motorola 360 LG G Watch Sony Smartwatch Samsung Gear Live Asus ZenWatch Apple Watch Pebble OS version Android Wear 1.1.1.2006643 Android Wear 1.1.1.1929530 Android Wear 1.1.1.1929530 Android Wear 1.1.1.1944630 Android Wear 1.1.1.1910765 Version 1.0.1 (12S632) Firmware v.2.9.1 3

Device protection Authentication is not enabled by default on any device. Android phones (version 5.0 and above) can use trusted Bluetooth devices such as smartwatches for authentication. This means that the phone will not engage the lock screen if it is connected to a trusted smartwatch. Were the phone and watch stolen together, the thief would have full access to both devices. Watch Passcode Type Lockout Motorola 360 Not by default. Can be configured to turn on when the watch is taken off the wrist, but this did not work reliably during testing Pattern LG G Watch Not by default. Pattern Sony Smartwatch Not by default. Can be configured to turn on when the watch is taken off the wrist, but this did not work reliably during testing. Pattern Samsung Gear Live Not by default. Pattern Asus ZenWatch Not by default. Pattern Apple Watch Not by default. 4 digit PIN (numbers only) None by default, but can be configured to lock based on idle timeout. Option to erase data after 10 login attempts. Pebble Not available unless via third party apps. - - 4

Data Connections All the smartwatches support Bluetooth for data transmission between the watch and smartphone. These connections use Bluetooth encryption. Android and Pebble devices rely entirely on this encryption to secure the communication. T he Apple Watch, as described in ios Security Guide, integrates the proprietary IDS (Identity Services) technology as a further encryption layer. Four of the devices support using WiFi to keep the watch up-to-date when the paired phone is not in range. All of the connections over WiFi were encrypted using TLS 1.2 and it was not possible to intercept personal information. Watch Bluetooth WiFi Motorola 360 Yes Yes LG G Watch Yes No Sony Smartwatch Yes Yes Samsung Gear Live Yes Yes Asus ZenWatch Yes No Apple Watch Yes Yes Pebble Yes No 5

Local data storage Local data storage was tested by turning off Bluetooth and Wi-Fi and checking what data was accessible from the watch interface. All the watches kept local copies of data available through the watch interface. If the watch were stolen any data already synced to the watch would be accessible. Local Data Storage Watch Cached data Motorola 360 LG G Watch Sony Smartwatch Samsung Gear Live Asus ZenWatch Apple Watch Pebble Contacts, emails, calendars, pictures, fitness data and Passbook entries. The Passbook entries were tested with plane tickets. Passbook can also store loyalty cards with credit, so it should be possible to use this to make payments. Any unread notifications. Read notifications are also accessible via a notification history menu. This is also the only device that can be re-paired to a new phone without losing data. However, by default the device does not store any sensitive data (excluding notifications) unless via third party apps. 6

About First Base Technologies Founded in 1989 by Peter Wood, First Base Technologies LLP provides independent security consultancy, testing and security awareness services. We pride ourselves on being ethical, pragmatic and professional, delivering quality services on time and within budget. The independence of our advice is guaranteed, since we have no commercial involvement in product sales or installation. You will appreciate our commitment to maintaining a long-term business relationship, with expert opinion available on demand whenever you need it. Our CREST membership and our ISO 9001 and ISO 27001 certifications demonstrate a dedication to quality service and information security management that you can depend on. We don t just talk about information security, we live and breathe it. Experts in their fields, our people are thought leaders in security counter-measures, analysis and emerging technologies. They work to the highest professional and ethical standards, whether they are providing advice, testing your defences or helping educate your staff. For over twenty-five years we have made significant contributions to the security of our clients and the environment in which they work. Major organisations in banking, insurance, fashion, retail, publishing, manufacturing, construction, law and government all trust our skills and results. You can be sure that your information security is in safe hands. About the authors Mike McLaughlin, Technical Team Lead, First Base Technologies LLP Mike is a Senior Penetration Tester and our Technical Team Lead. He is a talented and self-motivated ethical hacker working in the information security industry since 2006. For Mike, information security is a vocation not just a job - he is passionate about security whether in the corporate arena or personal home environment. He has worked on many security testing projects for clients in various business sectors, including retail, banking and government. Mike is a Member of the BCS and holds the SANS GSEC and GPEN qualifications. He was also the first member of our team to pass the demanding Offensive Security Certified Professional (OSCP) examination and is a CREST Registered Tester. Mike s key skills include a deep knowledge of network protocols and communications, operating systems and highly technical exploits. Stefano Castilletti, Senior Penetration Tester, First Base Technologies LLP Stef is an enthusiastic Senior Penetration Tester with in-depth application testing skills. He brings coding and research skills to the team, as well as conducting complex web application and external infrastructure penetration tests. His training has also enabled him to perform custom tests requiring forensic and coding skills. Stef holds an MSc and a BSc (Hons) in Ethical Hacking and Computer Security from Abertay University, Dundee, is a Member of the BCS and holds the SANS GSEC and GWAPT qualifications. He has also achieved the Offensive Security Certified Professional (OSCP) certification and is a CREST Registered Tester. Stef s skills include exploiting both published and new vulnerabilities in applications, with particular focus on large e-commerce applications. About Trend Micro Trend Micro Incorporated (TYO: 4704), a global leader in security software, strives to make the world safe for exchanging digital information. Our solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. Leveraging these solutions, organizations can protect their end users, their evolving data center and cloud resources, and their information threatened by sophisticated targeted attacks. All of solutions are powered by cloud-based global threat intelligence, the Trend Micro Smart Protection Network, and are supported by over 1,200 threat experts around the globe. For more information, visit www.trendmicro.co.uk Or follow our news on Twitter at @TrendMicroUK. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information