HP: Smartwatches Are a Major Security Risk 98
Mickeycaskill writes: Researchers at HP Security discovered "significant vulnerabilities" in every single smartwatch they tested, claiming they pose a major security risk for users. The team is concerned by an apparent lack of authorization and authentication provisions, encrypted firmware updates and protection for personal data. When coupled with poor password choices, HP says wearables are as much a target for cyber criminals as muggers on the street. "As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks," said HP's Jason Schmitt.
BP 1005 over 781 (Score:2)
We can't even secure damn toys (Score:4, Funny)
These smartwatches are toys. What happens when we put machines in our bodies, giving them control over body functions? Do I have to change implants when I change my employer, because the new one has stricter security guidelines?
Re: (Score:1)
No, your old employer will demand that it be removed and destroyed because it contains some of their proprietary information, and they can't be sure it has all been removed just by 'erasing' it.
Vague article, ugh (Score:1)
Why is it that all news articles these days never reveal the actual details? Which smartwatches were tested and which "three out of ten" smartwatches had this or that problem? Which apps have invisible ads? Which Japanese city opened a robot-operated hotel (that to click a few links in that one to find out). Even going to the HP source and their linked pdf for "more details" reveals nothing than what's already on their website...
Annoying.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That is NOT the full report - or if it is, HP's definition of "report" is "useless marketing BS".
Harking back to the AC OP's concern, the paper you link to has no actual data in it, only summaries. For instance, "Thirty percent utilized cloud-based web interfaces "
Useless.
Re: (Score:1)
Fitness trackers are a boon to those that thrive on numbers, stats, and analysis.
Like a lot of geeks -- which also happen to be one of the demographics most in need of fitness.
There's also a significant social component (share your numbers, compete with others, etc.), which for many is a good motivator as well.
Re: (Score:1)
Re: (Score:2)
Most are also really inaccurate [techtimes.com] when it comes to measuring calories burned.
Two of them were 85% accurate.
you are demonstrably oblivious to how broadly your statements don't apply.
pot, kettle, black
Re: (Score:1)
Re: (Score:1)
Measuring energy expenditure (Score:1)
- 15-25 % if the model and measurements are calibrated for a particular individual in a lab environment
- 20-35 % in a generic case
Source: http://www.firstbeat.com/userD... [firstbeat.com]
Your device, be it a watch or a phone, using chest strap or wrist, CANNOT get more accurate than 20%, whatever the marketing dept would say.
The human body simply is not a precision instrument, and the individual deviation from the formulas cannot be eliminat
Re: (Score:2)
> CANNOT get more accurate than 20%
You're COMPLAINING?!?
Gebus, I have just about zero idea what my caloric intake or output is. I certainly see value in something that's 20%. And if I can calibrate that against, say, a bike machine, then I'm all for it.
Original Report (Score:2)
Here's the original Fortify report, which has actual data (tm): http://www8.hp.com/us/en/hp-news/press-release.html?id=2037386#.VbF-Hbd2lEE
Re: (Score:3, Insightful)
Nice try, I still had to click "get the report" another 2 times
http://go.saas.hp.com/l/28912/2015-07-20/325lbm/28912/69038/IoT_Research_Series_Smartwatches.pdf
No brands or concrete data mentioned. This is a garbage report. They should have at least detailed which models had which problems. Instead we get nothing of value.
Re: (Score:1)
Re: (Score:3)
just the ones which connect using the Bluetooth protocol.
Re: (Score:1)
Re: (Score:2)
Fruitwatch and Tizenwatch already have wifi.
Re: Relax... (Score:1)
Re: (Score:2)
The difference is that iWatch and Samsung gear have had it enabled for a long time.
Translation: (Score:5, Insightful)
Re: (Score:2)
> We don't make one of these amazing things YET, so you shouldn't have one of these scary things NOW.
FTFY
Re: (Score:2)
HP had their chance to create an internet of things niche when they bought Palm.
WebOS lives on only at lg
Re: (Score:2)
No matter HPs motivation for this ... the shitty and sorry state of security of consumer electronics is pretty well documented. Hell, we see stories here at least weekly about it.
I assume pretty much every device which wants to connect to the internet is full of absolutely gaping security holes, because companies don't care, and consumers want easy.
My default position is these smartwatches are full of security holes. And smart TVs. And the internet of things.
Because every damned vendor seems to either do
Re: (Score:2)
Yes let's dismiss this on the basis that it was conducted by a company that doesn't have a vested interest in it.
they have a totally vested interest in trashing the credibility of their competitors
Re: (Score:2)
We don't make one of these toys, so you shouldn't have one of these toys.
FTFY.
Re: (Score:2)
I too avoid buying original hp products.
Wait, what? (Score:5, Funny)
HP says wearables are as much a target for cyber criminals as muggers on the street.
Muggers are a target for cyber criminals? Who knew?
one word (Score:2)
Bluetooth.
Bit rich coming from HP (Score:1)
This is a little rich coming from HP... How many devices have they released with HARD CODED passwords that CAN'T be disabled or changed so field engineers can have easy 'access'?
Re: (Score:2)
Re: (Score:2)
I used to wear a watch, back in the 20th century. That's when cell phones were the size of a common house brick. Fuck watches
If they can make a phone the size of a watch, I say, fuck phones.
Re: (Score:2)
I used to wear a watch, back in the 20th century. That's when cell phones were the size of a common house brick. Fuck watches
We are straight back to phones the size of a house brick. When the iPhone was released with a 3.5 inch screen, everyone thought it was _huge_.
Which is why you don't let this stuff connect... (Score:4, Insightful)
... the company servers if you give a shit about security.
The whole BYOD argument has been debated to death. Point is there are two camps here.
Camp 1 says "No, because security" and Camp 2 says "Yes, because I'm lazy and like my toys."
Did I strawman camp 2? Sure. They'll actually say stuff like "we can secure our systems. But there is overwhelming evidence to the contrary. And if you ask them why they don't want to use the company provided blackberries or something they'll say "well I don't want to bring two phones" or "I can't install my apple shit on this thing" or whatever. Which means the security is being compromised for convenience and toys.
Now is there some hidden agenda in Camp 1? I mean, I just talked a lot of shit about camp 2... is there something off with camp 1? I can't see it. I'm a fully paid up card carrying member of camp 1. So maybe I just can't see it because I'm too close to it. You tell me. But I don't think there is a hidden agenda with camp 1. Camp 1 says "we cannot secure your private shit phone and thus giving it access to the VPN etc is a stupid idea and we're not doing it."
So the stupid watches for the BYOD phones are an additional security vulnerability? Okay.
Who's problem is that? Not camp 1's problem because they're not going to let you use that shit with the company phone anyway. Problem fucking solved. *brushes rhetorical dirt off hands and goes off to lunch*
Camp 2 however has more problems to deal with and it is never going to stop. And the thing is that no organization either can or will even choose to try to keep up with all this shit. They'll make efforts to close the most glaring issues but that's about it. Which means those systems will be what they've always been... wide fucking open. And that predates the whole BYOD thing. Some organizations do what is required to secure the systems and some basically jerk off into their coffee and call it cream.
Here is what "I" need for the stupid watches to be acceptable. I need to be able to control the encryption between the phone and the watch. And then I need to be able to lock those parameters into the phone so that they can't be changed by the user or some fucking program you install from the marketplace/appstore that says in the long list of permissions "oh yeah, fuck your security". And then I need to be able to control what is passed between the phone and the watch. Apparently these things are set up to pass EVERYTHING. And that's adorable and stuff but clearly that has to be scaled back to something less deranged.
There are so many problems with this stuff. I appreciate the makers are pushing this for idiot consumers and that they are going for looks and functionality etc and security isn't even on the radar.
And that is FINE... for a toy. But any company that lets that crap have access to their servers deserves what ever happens.
No pity.
Re:Which is why you don't let this stuff connect.. (Score:5, Insightful)
The problem with camp #1 is they, in many cases, utterly fail to provide the tools necessary for people to do their jobs efficiently, which is why people want to bring their own.
Mind you, it's not necessarily the boots on the ground (but rather the generals) for camp #1 causing the problem, but is is camp #1's problem.
(by the way, I have been in both camps in various parts of my career)
Re: (Score:2)
You're right. And I think OPM is really leading the way with this revolution you're talking about. From what we hear they didn't even have an IT security department until a year ago and that was probably a mistake.
The hack they had wouldn't have even been noticed in the first place without people me.
You don't know what you're talking about. You're another snotty user that thinks his parents are poopy heads because they won't let him install malware on the company network.
And users like you are not a problem
Re: (Score:2)
Re: (Score:2)
IT security is not customer facing any more than the legal department is customer facing or the accounting department or HR or any other department designed to manage risk and see that things are done in the CORRECT way so that the organization doesn't get corn holed by being sloppy, lazy, or stupid.
You saying there is no such thing as perfect security is like saying there is no such thing as a company with competent accounting.
My cousin recently had to go to India to audit a company in Mumbai. Had a good t
Re: (Score:2)
This greatly simplifies the problem. This is what alot of the security arguments do, in my experience. They ignore human nature, and often business needs. There is a right way to do things, but there is always a balance. Even ignoring that balance, and insisting everything is done right, will
Re: (Score:2)
Give me a specific example and I'll give you a specific way of mitigating the situation without compromising security.
What I find often as not is that people don't even like to ask for permission. They get offended that they even need to ask.
And then there are issues of "well, my home computer can do X so why can't my office work station do X"... never mind that X is sometimes something as dumb as installing iTunes or something that you should ask permission for like installing Y unknown software on the sys
Re: (Score:2)
Re: (Score:2)
I'd just assume use RDP... What's the difference.
A lot of remote desktop solutions have issues. I personally use about 10 of them with each one contextual to platforms, programs, security situations, amount/type of media coming through, etc.
Look, so long as what you're doing doesn't compromise the lock down on secure systems so that executable code/unauthorized access remains EFFECTIVELY impossible... I'm cool with whatever you're doing.
That is my job. You do your job. I'll do my job. One big happy family.
I
Re: (Score:2)
Re: (Score:2)
hardening a Windows system is easier than most people realize.
I mean... there are brute force things you can do anything.
1. None of the terminal operating systems can be modified. Files are locked at the file system level. Things that need to change for the OS to function properly can change... temp files and paging files etc. But things that don't change and don't need to change are literally locked. The virus isn't going to get the permissions to fuck with anything.
2. Even if it did, the operating systems
Re: (Score:1)
I don't think there is a hidden agenda with camp 1. Camp 1 says "we cannot secure your private shit phone and thus giving it access to the VPN etc is a stupid idea and we're not doing it."
Camp 1's hidden agenda is making life simple for them (e.g., IT security). When a gatekeeper's opened for opening a gate, they'll have no incentive to do what's actually best for the organization. It's not just IT, either. We all do it. Want to order some software? Legal and Supply Chain and IT will all conspire to make this a big fucking deal that takes two months to get done. (Shhh... don't tell them about the thousands of packages flitting into their network via nuget/npm/git/aptitude/docker/whatever. T
Re: (Score:2)
Well... you say simple, I would say "possible".
Here is the thing, you compromise the system enough and IT security just throws their hands up. There aren't enough of us, no company or government is going to pay enough to secure those systems, and so what happens is that you get shit security.
So yeah. Not fucking up the system does make it easier. But fucking it up can also make it IMPOSSIBLE to secure it.
In fact, so much of IT security has battered wife syndrome at this point that we just take it in stride
Re: (Score:2)
Re: (Score:2)
First, you're assuming that you only have the company phone. If you care about your privacy then just keep a personal phone as well.
Second, I can only speak for myself here... I don't care what you do with your company phone whenever it isn't accessing company information. We have a zillion minutes on the shared account. There was one guy that was having four hour conversations with someone that was surely personal and it didn't matter. The policy we have with it is that you can make all those calls so long
Re: (Score:2)
I personally use a company phone for everything, but I also manage security on it to MY standards, they don't always sync up with corporate standards.
Re: (Score:2)
That's fine... so long as your security doesn't conflict with mine, you can do whatever you want.
if your security conflicts with mine, then you're not connecting to company servers with that device.
Re: (Score:2)
Re: (Score:2)
Resources is always the issue with anything.
You could win a nuclear war if you had an endless number of guys with sharp sticks.
The thing is that if things are done in a dumb way then there are two ways to fix it.
1. Stop doing the dumb thing.
2. Throw money at the problem until it goes away.
What you're saying is that management will look at the bill and say "we're not paying that"... and I agree... they never have and never will.
But then you're not making the leap to where you get that that means you have to
Re: (Score:2)
And because of that, he doesn't fucking try me. And that ladies and gentlemen is respect.
No, that's called being a belligerent asshole.
You just sound like a control freak standing firmly in the "no" camp. I've seen IT like that, and ultimately they get replaced. That doesn't mean you have to bend to every silly whim, but there is a whole lot of grey between the two. It your job to weigh the risks within those two extremes and strike a balance between them to optimize the ratio between the two. It doesn't lie at either extreme in almost all cases -- regardless of what you think.
As for using
Re: (Score:2)
First, I'm not an asshole... anymore than the legal team is an asshole if you open the company up to lawsuits... or the accounting team is an asshole if you don't document your expenses properly or misappropriate funds... or the HR department if you start calling coworkers racist names... etc. I'm not an asshole. I'm doing my job.
Second, IT security is very poorly understood and rarely gets the respect it deserves. This leads to it being asked to do impossible and contradictory things. And that leads to the
Re: (Score:2)
First, you are an asshole. You seem to think that having the upperhand, and maintaining it and forcing others to your will is respect. You are mistaken. That's just being an asshole, and one that no one else wants to deal with.
Second, why do you believe that IT security deserves more respect than it gets? Perhaps it is just you that doesn't get the respect that you feel you deserve because you are an ass. I replace twats like you because you think in terms of absolutes from the inside of your little fi
Re: (Score:2)
nope... I believe IT security deserves more respect because idiot users think security doesn't matter and the security in most systems... even supposidly high securiity systems is shit.
This is why hackers get into systems so easily. Because people like you systematically sabotage and undermine the people trying to do their jobs to such an extent that they just give up even trying to do their jobs. You're the ignorant abusive drunk of the IT world and most IT security suffers battered wive's syndrom from peo
Re: (Score:2)
Want to talk about that seriously and login or stay AC and keep trolling?
Re: (Score:2)
(1) I'm not sure on the specifics of phones/watches but in my country, one can claim as a tax deductibility a 'salary sacrifice' if equipment is used for work purposes. e.g. that $70/month shiny iPhone 6 plan might be subsidized by the government if you BYOD but maybe not if it's purely for personal use.
(2) I'm surprised hypervisors with dual SIM haven't caught on yet. i.e. you run your own personal stack as the host OS and work provides you with a secure encrypted image to load as the guest OS. That way th
Re: (Score:2)
... the company servers if you give a shit about security.
The whole BYOD argument has been debated to death. Point is there are two camps here.
Camp 1 says "No, because security" and Camp 2 says "Yes, because I'm lazy and like my toys."
Hmmm no bias detected in that statement... though you did openly admit that you're a camp 1 member later on. I will tell you right now that I've worked for several companies with people like you calling the security shots. I can also tell you right now that I will never carry a company phone, no matter what my boss wants. Most engineers I know have zero interest in a company phone. The only people I know who do want one are managers and sales types. If you want somebody outside of those two groups to b
Re: (Score:2)
If security is important to the company they'll call your bluff.
If you're working at a company where security isn't important or where they don't take it seriously... then do whatever. Write your user name, password, on to strange public bathroom walls for all I care.
As to people not being able to get work done with the network disconnected.
That's a false dichotomy. I don't have to go full blown sneakernet to secure a network. I just need to:
1. Control physical access to anything users touch such that inter
Re: (Score:2)
The problem with decrying BYOD as being "only for convenience" is that, when it comes down to it, basically all enterprise tech is "only for convenience". Tech exists within an organization to allow their employees to be more effective, more efficient, react faster, etc. That's what it's for. Convenience isn't a reason to ignore a technology, it should be the most important reason to adopt it.
I've worked in security in one of the most paranoid companies around and I totally get the need to protect the netwo
Re: (Score:2)
Nice try... I didn't say it was a convenience for the company or for the user to do things for the company.
Rather, I'd like you to tell me something you need your device for that you couldn't do on a company blackberry?
Hit me with your best shot. Why do you need a an iphone6 to answer an email or send a text? I'd love to hear it.
Re: (Score:2)
To be with me when I'm not at the office, cause I'm sure as hell not carrying and charging that blackberry piece of crap (at least not for free, and not likely for any amount the company is willing to pay)
Tell me why you can't secure your email server so that my iPhone can't securely access it?
Hit me with your best shot.
Re: (Score:2)
You're not doing it for free... you're getting a salary, health benefits, 401k, etc. Comical.
People are paid well. One of the things people are paid for is to take security seriously. if you're such a little prissy drama queen that you can't handle a company phone which used to be a standard requirement in most companies at one point... then you know what... who wants you? Seriously. You sound like a whiny cunt. If you work with us then you're going to be constantly bitching about something and causing prob
Re: (Score:2)
You want team players. People that cause problems are more trouble than they're worth.
Looked in the mirror lately.
My job is to get stuff done. I've done IT security for years, and I understand it well, but I'm not an ass like you, never was, never will be. I've long gotten out of that, and I my own business (technology based), and I write code as a consultant. Security is important, sure. But you know what happens if my company gets hacked? Wipe, restore from backups -- everything. Sure, it's not great, but the day or two we'd be down is far less than the time wasted implementing and e
Re: (Score:2)
"Camp 1" could make things even more secure by never plugging in any of the computer equipment. If nobody can use it, neither can the hackers. That's about as secure as it gets!
Yes, a ridiculous example, but there's a point here. If perfect security is your only goal (which is sure what it looks like from your message), then that's exactly where you are headed. Assuming you don't do that, then there's actually a balance you are striking between a convenient system that helps people get their job done as
Re: (Score:2)
it isn't my only goal. The goal is to raise security to such a point that the system is not compromised while also permitting the system to be efficiently used by authorized persons.
This is obtainable. I believe I have obtained it. There is no legitimate task an employee needs to do with the system that they cannot do. I have disallowed all other things.
If they don't need to do something... then they can't. That is roughly the doctrine.
I work on a white listing philosophy.
So I basically start with an unplug
Fear mongering? (Score:2)
So muggers are a target, not watches? (Score:1)
American idiots:
"wearables are as much a target for cyber criminals as muggers on the street"
I think you meant:
"wearables are as much a target for cyber criminals as FOR muggers on the street"
Sensationalism (Score:2)
Come on. This is not real world.