Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security HP

HP: Smartwatches Are a Major Security Risk 98

Mickeycaskill writes: Researchers at HP Security discovered "significant vulnerabilities" in every single smartwatch they tested, claiming they pose a major security risk for users. The team is concerned by an apparent lack of authorization and authentication provisions, encrypted firmware updates and protection for personal data. When coupled with poor password choices, HP says wearables are as much a target for cyber criminals as muggers on the street. "As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks," said HP's Jason Schmitt.
This discussion has been archived. No new comments can be posted.

HP: Smartwatches Are a Major Security Risk

Comments Filter:
  • calm down. man.
  • by NotInHere ( 3654617 ) on Thursday July 23, 2015 @06:40PM (#50171433)

    These smartwatches are toys. What happens when we put machines in our bodies, giving them control over body functions? Do I have to change implants when I change my employer, because the new one has stricter security guidelines?

    • No, your old employer will demand that it be removed and destroyed because it contains some of their proprietary information, and they can't be sure it has all been removed just by 'erasing' it.

  • by Anonymous Coward

    Why is it that all news articles these days never reveal the actual details? Which smartwatches were tested and which "three out of ten" smartwatches had this or that problem? Which apps have invisible ads? Which Japanese city opened a robot-operated hotel (that to click a few links in that one to find out). Even going to the HP source and their linked pdf for "more details" reveals nothing than what's already on their website...

    Annoying.

    • The full report is linked in the HP news article. Tl;dr - http://go.saas.hp.com/l/28912/... [hp.com]
      • While the report offer a bit more content than the articles, unfortunately which watches that were tested is not included. And sleep depraviation does very little good to my reading skills, as AC reached the exact same conclusion.
      • That is NOT the full report - or if it is, HP's definition of "report" is "useless marketing BS".

        Harking back to the AC OP's concern, the paper you link to has no actual data in it, only summaries. For instance, "Thirty percent utilized cloud-based web interfaces "

        Useless.

  • Here's the original Fortify report, which has actual data (tm): http://www8.hp.com/us/en/hp-news/press-release.html?id=2037386#.VbF-Hbd2lEE

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Nice try, I still had to click "get the report" another 2 times

      http://go.saas.hp.com/l/28912/2015-07-20/325lbm/28912/69038/IoT_Research_Series_Smartwatches.pdf

      No brands or concrete data mentioned. This is a garbage report. They should have at least detailed which models had which problems. Instead we get nothing of value.

    • Doesn't list which smart watches were tested.
  • Translation: (Score:5, Insightful)

    by jpellino ( 202698 ) on Thursday July 23, 2015 @07:04PM (#50171539)
    We don't make one of these amazing things, so you shouldn't have one of these scary things.
    • > We don't make one of these amazing things YET, so you shouldn't have one of these scary things NOW.

      FTFY

    • No matter HPs motivation for this ... the shitty and sorry state of security of consumer electronics is pretty well documented. Hell, we see stories here at least weekly about it.

      I assume pretty much every device which wants to connect to the internet is full of absolutely gaping security holes, because companies don't care, and consumers want easy.

      My default position is these smartwatches are full of security holes. And smart TVs. And the internet of things.

      Because every damned vendor seems to either do

    • We don't make one of these toys, so you shouldn't have one of these toys.

      FTFY.

    • by sjwest ( 948274 )

      I too avoid buying original hp products.

  • Wait, what? (Score:5, Funny)

    by tsqr ( 808554 ) on Thursday July 23, 2015 @07:12PM (#50171577)

    HP says wearables are as much a target for cyber criminals as muggers on the street.

    Muggers are a target for cyber criminals? Who knew?

  • Bluetooth.

  • by Anonymous Coward

    This is a little rich coming from HP... How many devices have they released with HARD CODED passwords that CAN'T be disabled or changed so field engineers can have easy 'access'?

  • by Karmashock ( 2415832 ) on Thursday July 23, 2015 @07:36PM (#50171705)

    ... the company servers if you give a shit about security.

    The whole BYOD argument has been debated to death. Point is there are two camps here.

    Camp 1 says "No, because security" and Camp 2 says "Yes, because I'm lazy and like my toys."

    Did I strawman camp 2? Sure. They'll actually say stuff like "we can secure our systems. But there is overwhelming evidence to the contrary. And if you ask them why they don't want to use the company provided blackberries or something they'll say "well I don't want to bring two phones" or "I can't install my apple shit on this thing" or whatever. Which means the security is being compromised for convenience and toys.

    Now is there some hidden agenda in Camp 1? I mean, I just talked a lot of shit about camp 2... is there something off with camp 1? I can't see it. I'm a fully paid up card carrying member of camp 1. So maybe I just can't see it because I'm too close to it. You tell me. But I don't think there is a hidden agenda with camp 1. Camp 1 says "we cannot secure your private shit phone and thus giving it access to the VPN etc is a stupid idea and we're not doing it."

    So the stupid watches for the BYOD phones are an additional security vulnerability? Okay.

    Who's problem is that? Not camp 1's problem because they're not going to let you use that shit with the company phone anyway. Problem fucking solved. *brushes rhetorical dirt off hands and goes off to lunch*

    Camp 2 however has more problems to deal with and it is never going to stop. And the thing is that no organization either can or will even choose to try to keep up with all this shit. They'll make efforts to close the most glaring issues but that's about it. Which means those systems will be what they've always been... wide fucking open. And that predates the whole BYOD thing. Some organizations do what is required to secure the systems and some basically jerk off into their coffee and call it cream.

    Here is what "I" need for the stupid watches to be acceptable. I need to be able to control the encryption between the phone and the watch. And then I need to be able to lock those parameters into the phone so that they can't be changed by the user or some fucking program you install from the marketplace/appstore that says in the long list of permissions "oh yeah, fuck your security". And then I need to be able to control what is passed between the phone and the watch. Apparently these things are set up to pass EVERYTHING. And that's adorable and stuff but clearly that has to be scaled back to something less deranged.

    There are so many problems with this stuff. I appreciate the makers are pushing this for idiot consumers and that they are going for looks and functionality etc and security isn't even on the radar.

    And that is FINE... for a toy. But any company that lets that crap have access to their servers deserves what ever happens.

    No pity.

    • by Anonymous Coward on Thursday July 23, 2015 @07:52PM (#50171811)

      The problem with camp #1 is they, in many cases, utterly fail to provide the tools necessary for people to do their jobs efficiently, which is why people want to bring their own.

      Mind you, it's not necessarily the boots on the ground (but rather the generals) for camp #1 causing the problem, but is is camp #1's problem.

      (by the way, I have been in both camps in various parts of my career)

    • I don't think there is a hidden agenda with camp 1. Camp 1 says "we cannot secure your private shit phone and thus giving it access to the VPN etc is a stupid idea and we're not doing it."

      Camp 1's hidden agenda is making life simple for them (e.g., IT security). When a gatekeeper's opened for opening a gate, they'll have no incentive to do what's actually best for the organization. It's not just IT, either. We all do it. Want to order some software? Legal and Supply Chain and IT will all conspire to make this a big fucking deal that takes two months to get done. (Shhh... don't tell them about the thousands of packages flitting into their network via nuget/npm/git/aptitude/docker/whatever. T

      • Well... you say simple, I would say "possible".

        Here is the thing, you compromise the system enough and IT security just throws their hands up. There aren't enough of us, no company or government is going to pay enough to secure those systems, and so what happens is that you get shit security.

        So yeah. Not fucking up the system does make it easier. But fucking it up can also make it IMPOSSIBLE to secure it.

        In fact, so much of IT security has battered wife syndrome at this point that we just take it in stride

        • by pnutjam ( 523990 )
          Let's not pretend their aren't security implications when you use a corporate phone. You cede alot of information to your employer, and they can misuse it. Even if they are disinclined to use it, your phone records could easily become part of a legal discovery process and be misused by someone else.
          • First, you're assuming that you only have the company phone. If you care about your privacy then just keep a personal phone as well.

            Second, I can only speak for myself here... I don't care what you do with your company phone whenever it isn't accessing company information. We have a zillion minutes on the shared account. There was one guy that was having four hour conversations with someone that was surely personal and it didn't matter. The policy we have with it is that you can make all those calls so long

            • by pnutjam ( 523990 )
              When I talk about legal action, I'm not talking about inter-company issues. Your records could be subpoenaed because your boss stiffed a supplier, or even something as stupid as a co-workers divorce. That puts your information out of control.
              I personally use a company phone for everything, but I also manage security on it to MY standards, they don't always sync up with corporate standards.
              • That's fine... so long as your security doesn't conflict with mine, you can do whatever you want.

                if your security conflicts with mine, then you're not connecting to company servers with that device.

    • From my perspective, the biggest problem with BYOD is that management is not likely to give IT the resources needed to ensure that BYOD is done in a secure manner. Personally, I will not bring my own device to work for a couple of reasons. First, why on earth would I subsidize my employer? Second, why on earth would I consider giving my employer any measure of control over my device?
      • Resources is always the issue with anything.

        You could win a nuclear war if you had an endless number of guys with sharp sticks.

        The thing is that if things are done in a dumb way then there are two ways to fix it.

        1. Stop doing the dumb thing.
        2. Throw money at the problem until it goes away.

        What you're saying is that management will look at the bill and say "we're not paying that"... and I agree... they never have and never will.

        But then you're not making the leap to where you get that that means you have to

        • And because of that, he doesn't fucking try me. And that ladies and gentlemen is respect.

          No, that's called being a belligerent asshole.

          You just sound like a control freak standing firmly in the "no" camp. I've seen IT like that, and ultimately they get replaced. That doesn't mean you have to bend to every silly whim, but there is a whole lot of grey between the two. It your job to weigh the risks within those two extremes and strike a balance between them to optimize the ratio between the two. It doesn't lie at either extreme in almost all cases -- regardless of what you think.

          As for using

          • First, I'm not an asshole... anymore than the legal team is an asshole if you open the company up to lawsuits... or the accounting team is an asshole if you don't document your expenses properly or misappropriate funds... or the HR department if you start calling coworkers racist names... etc. I'm not an asshole. I'm doing my job.

            Second, IT security is very poorly understood and rarely gets the respect it deserves. This leads to it being asked to do impossible and contradictory things. And that leads to the

            • First, you are an asshole. You seem to think that having the upperhand, and maintaining it and forcing others to your will is respect. You are mistaken. That's just being an asshole, and one that no one else wants to deal with.

              Second, why do you believe that IT security deserves more respect than it gets? Perhaps it is just you that doesn't get the respect that you feel you deserve because you are an ass. I replace twats like you because you think in terms of absolutes from the inside of your little fi

              • nope... I believe IT security deserves more respect because idiot users think security doesn't matter and the security in most systems... even supposidly high securiity systems is shit.

                This is why hackers get into systems so easily. Because people like you systematically sabotage and undermine the people trying to do their jobs to such an extent that they just give up even trying to do their jobs. You're the ignorant abusive drunk of the IT world and most IT security suffers battered wive's syndrom from peo

      • (1) I'm not sure on the specifics of phones/watches but in my country, one can claim as a tax deductibility a 'salary sacrifice' if equipment is used for work purposes. e.g. that $70/month shiny iPhone 6 plan might be subsidized by the government if you BYOD but maybe not if it's purely for personal use.

        (2) I'm surprised hypervisors with dual SIM haven't caught on yet. i.e. you run your own personal stack as the host OS and work provides you with a secure encrypted image to load as the guest OS. That way th

    • ... the company servers if you give a shit about security.

      The whole BYOD argument has been debated to death. Point is there are two camps here.

      Camp 1 says "No, because security" and Camp 2 says "Yes, because I'm lazy and like my toys."

      Hmmm no bias detected in that statement... though you did openly admit that you're a camp 1 member later on. I will tell you right now that I've worked for several companies with people like you calling the security shots. I can also tell you right now that I will never carry a company phone, no matter what my boss wants. Most engineers I know have zero interest in a company phone. The only people I know who do want one are managers and sales types. If you want somebody outside of those two groups to b

      • If security is important to the company they'll call your bluff.

        If you're working at a company where security isn't important or where they don't take it seriously... then do whatever. Write your user name, password, on to strange public bathroom walls for all I care.

        As to people not being able to get work done with the network disconnected.

        That's a false dichotomy. I don't have to go full blown sneakernet to secure a network. I just need to:

        1. Control physical access to anything users touch such that inter

    • by radish ( 98371 )

      The problem with decrying BYOD as being "only for convenience" is that, when it comes down to it, basically all enterprise tech is "only for convenience". Tech exists within an organization to allow their employees to be more effective, more efficient, react faster, etc. That's what it's for. Convenience isn't a reason to ignore a technology, it should be the most important reason to adopt it.

      I've worked in security in one of the most paranoid companies around and I totally get the need to protect the netwo

      • Nice try... I didn't say it was a convenience for the company or for the user to do things for the company.

        Rather, I'd like you to tell me something you need your device for that you couldn't do on a company blackberry?

        Hit me with your best shot. Why do you need a an iphone6 to answer an email or send a text? I'd love to hear it.

        • To be with me when I'm not at the office, cause I'm sure as hell not carrying and charging that blackberry piece of crap (at least not for free, and not likely for any amount the company is willing to pay)

          Tell me why you can't secure your email server so that my iPhone can't securely access it?

          Hit me with your best shot.

          • You're not doing it for free... you're getting a salary, health benefits, 401k, etc. Comical.

            People are paid well. One of the things people are paid for is to take security seriously. if you're such a little prissy drama queen that you can't handle a company phone which used to be a standard requirement in most companies at one point... then you know what... who wants you? Seriously. You sound like a whiny cunt. If you work with us then you're going to be constantly bitching about something and causing prob

            • You want team players. People that cause problems are more trouble than they're worth.

              Looked in the mirror lately.

              My job is to get stuff done. I've done IT security for years, and I understand it well, but I'm not an ass like you, never was, never will be. I've long gotten out of that, and I my own business (technology based), and I write code as a consultant. Security is important, sure. But you know what happens if my company gets hacked? Wipe, restore from backups -- everything. Sure, it's not great, but the day or two we'd be down is far less than the time wasted implementing and e

    • by T.E.D. ( 34228 )

      "Camp 1" could make things even more secure by never plugging in any of the computer equipment. If nobody can use it, neither can the hackers. That's about as secure as it gets!

      Yes, a ridiculous example, but there's a point here. If perfect security is your only goal (which is sure what it looks like from your message), then that's exactly where you are headed. Assuming you don't do that, then there's actually a balance you are striking between a convenient system that helps people get their job done as

      • it isn't my only goal. The goal is to raise security to such a point that the system is not compromised while also permitting the system to be efficiently used by authorized persons.

        This is obtainable. I believe I have obtained it. There is no legitimate task an employee needs to do with the system that they cannot do. I have disallowed all other things.

        If they don't need to do something... then they can't. That is roughly the doctrine.

        I work on a white listing philosophy.

        So I basically start with an unplug

  • I have give a very cursory read to the PDF, it seems quite broad. The timing of this is quite suspect, is just to make people not buy iWatchs?
  • by Anonymous Coward

    American idiots:

    "wearables are as much a target for cyber criminals as muggers on the street"

    I think you meant:

    "wearables are as much a target for cyber criminals as FOR muggers on the street"

  • From the article: "when connected to a test mobile device that was deliberately made insecure"

    Come on. This is not real world.

Avoid strange women and temporary variables.

Working...