Smartwatch security threats: The sky isn’t really falling

Apple Watch release date, price & features

Security firms Kaspersky and Wisekey are worried about the amount of unprotected data shared between smartphones and wearables. Which leads me to ask, just how insecure is your smartwatch?

I'm not going to dismiss these security vendors concerns off the bat, but I will throw a quick MRDA (Mandy Rice-Davies Applies) into the conversation. After all, this is the same industry that seems to think that anti-virus products on the desktop are still somehow valid.

Let's agree that if wearables become a conduit for mobile payments, and smartwatch technology will allow that across most platforms soon enough, then obviously there's the potential for cyber-theft.

Well, maybe.

Most of the emphasis has to be on the word 'potential', which is very different to the word likely'.

Not that there aren't questions to ask when we think seriously about the smartwatch sector (something that's hard to do when they all look like Christmas cracker toys).

Those questions will grow in stature if more people start wearing the things. Questions such as, can they be hacked, is there the potential for malware or man-in-the-middle attacks, and what happens to your data if your watch gets stolen or is lost?

Sound familiar? They should do - we asked the same ones when our phones started getting clever. For the most part, we've answered them too.

And that's the thing, wearables are paired with those smartphones for which we have mostly sorted the data security now. Which leaves us to ask, are smartwatches even a threat at all?

Well, they are not just dumb terminals. They display notifications from your smartphone, and notifications contain valuable data, lots of it.

A smartwatch is a conduit to more data, in your pocket and beyond, and that will eventually make them attractive to the bad guys.

When Trend Micro tested smartwatches for hardware protection, data connections and local data storage, it found all of them had weaknesses that could be exploited. All of them saved notification and calendar data locally, making it possible for hackers to get it without the smartphone being required.

When HP Fortify studied smartwatches for security, it also found them lacking, particularly when it came to user authentication and poor encryption of data in transit. Most were vulnerable to attacks enabling man-in-the-middle threats or using outdated, and therefore vulnerable, protocols such as SSL 2.0.

Not that bad guys are targeting smartwatches just yet, as far as we can tell. The attack surface is, quite literally, way too small. Not enough users, not enough data, not enough resources to install malware, not enough anything.

A lot of alleged smartwatch insecurities that the media trumpet are hard to imagine outside of a lab environment. Take a look at MoLe: Motion Leaks through Smartwatch Sensors if you want a shining example.

But as the tech on your wrist gets more powerful, and the apps more complex, threats will grow and emerge. Until that is the case, there's not really much that is likely to be done in terms of cyber-badness.

The whole wearables security sector right now reminds me a lot of Chicken Little. The sky isn't falling, and getting too squawky about smartwatches right now just serves to distract from the real problem: securing your data in the cloud and on your smartphone.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.