The number of smartwatches is increasing steeply. Smartwatches are often able to track your heart rate, sleep, location, exercise and much more. Additional features nowadays include receiving phone notifications and making payments. But how secure is your watch, and all your personal data?
In case of theft, a thief will often easily be able to enter the device as most people do not install screen locks on their devices (O’Connell, 2019). Manufactures do have additional features to prevent easy access, such as the option to obstruct a connection with an unknown phone and the requirement of a close-proximity connection with the phone for payments and other important functions (Symanovich, 2019). Most smartwatches use Bluetooth-technology to create such a connection, which is not often targeted by attacks (Thomas, 2019). Nevertheless, the data is often not encrypted due to the limited computing power of the watch and simply secured by a six-digit pin. A six-digit code is easily cracked with the use of brute force attacks (Wenz, 2019).
Whenever a device does get breached, almost all data (e.g. notifications, heartbeat, locations and audio recordings) can be subtracted from the device (Do, Martini and Choo, 2016). Furthermore, a hacked device could leak your data or even breach into your network, obtaining information from the network as well. (Symanovich, 2019).
Smartwatches often allow third-party apps on their operation system for providing the customer with additional features. These apps are able obtain all kinds of information. It’s therefore important to read the privacy policies of these apps to ensure your data is handled with care (Symanovich, 2019). The data can be used against you be insurers for example, although no case of this is revealed yet.
On the bright side, Google released Adiantium in the spring of 2019. Adiantium is an encryption mode that can run on devices running Android Wear by using the ChaCha stream to cipher in a length-preserving mode (Crowley and Biggers, 2018). In this way, low-performance devices can encrypt their data in the same degree as smartphones and laptops can. Apple did include encryption in their newest version of iOS as well (Apple, 2019). Moreover, Apple asks users to enter a password to adjust the device settings and allows users to deactivate their pay account remotely via iCloud and (Thomas, 2019).
A research by Kasperky (Lurye, 2019) showed that smartwatches are relatively safe nowadays. Their encryption is improving and so are their protection measures. Managing permissions, checking for privacy policies and being alerted for malware will help to prevent most damage. No guarantee for a breach can be given, however. In case of a breach, basic information can be obtained quite easily. More specific information such as what the user types on a computer or credit card information is much harder to obtain and requires advanced software such as neural networks.
Apple (2019). iOs security. [ebook] Apple, pp.37-38. Available at: https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf [Accessed 4 Oct. 2019].
Crowley, P. and Biggers, E. (2018) “Adiantum: length-preserving encryption for entry-level processors”, IACR Transactions on Symmetric Cryptology, 2018(4), pp. 39-61. doi: 10.13154/tosc.v2018.i4.39-61.
Do, Q., Martini, B. and Choo, K. (2016). Is the data on your wearable device secure? An Android Wear smartwatch case study. Software: Practice and Experience, 47(3), pp.391-403.
Lurye, S. (2019). Experiment: How easy is it to spy on a smartwatch wearer?. [online] Kaspersky.com. Available at: https://www.kaspersky.com/blog/smart-watch-research/22536/ [Accessed 4 Oct. 2019].
O’Connell, J. (2019). 5 Security Concerns for Your Smart Watch | Hacked: Hacking Finance. [online] Hacked. Available at: https://hacked.com/5-security-concerns-smart-watch/ [Accessed 4 Oct. 2019].
Symanovich, S. (2019). Smart watches and internet security: Are my wearables safe? | Norton. [online] Us.norton.com. Available at: https://us.norton.com/internetsecurity-iot-how-to-protect-your-connected-wearables.html [Accessed 4 Oct. 2019].
Thomas, K. (2019). How secure is your smartwatch? | WeLiveSecurity. [online] WeLiveSecurity. Available at: https://www.welivesecurity.com/2015/04/15/secure-smartwatch/ [Accessed 4 Oct. 2019].
Wenz, J. (2019). Why Links Between Smartwatches and Phones Could be Vulnerable to Attacks. [online] Popular Mechanics. Available at: https://www.popularmechanics.com/technology/security/a13815/hackers-can-crack-smartwatch-and-smartphone-encryption-17514096/ [Accessed 4 Oct. 2019].
Very interesting subject, but left with one question: There are many software security companies nowadays focusing on the protection of tablets & phones & laptops. Why did none of these companies enter such market of smartwatches, where apparently there are no players?
Dear Damla,
Thank you for your comment. I believe the main reason for this results from the fact that many smartwatch producers use existing software which is restricted in able to work on the devices. The challenge is in protecting such a device without limiting its performance. Moreover, the market itself is still very small in comparison to PCs and smartphones as well. But you’re right, there’s definitely an opening in the market here.
Kind regards,
Devin Solleveld
Interesting post about smartwatches! Do we already know in what direction the smartwatch is going? If I look around, the smartwatch is not around everyones wrist yet. Most smartwatches are just little versions of your phone. I see the most potential in healthcare possibilities and live tracking of a persons real-time information. What is your view on the direction smartwatch developers should focus on? And how does this affects the importance of securing smartwatches in the future?
Hello Devin,
Thank you for your blog post. I found it an interesting article to read as I’ve personally never thought about the fact that a smartwatch could easily be hacked, which is alarming when you consider the fact that these devices are not only connected to your phone, but have an indirect connection through your phone with your entire home network. I therefore wonder if you know to what extent home networks have been breached via smartwatches and if this opposes real threats in the future.
To add to the previous remark, I found that there are certain companies (e.g. Panda Security) that have already stepped into the smartwatch security market. The question in this remains why these solutions are still quite unknown, despite the known security risks. What is your opinion regarding this?
With regards,
Deniz Arpat