A leading computer research firm has criticised the poor security of some of the most popular smartwatches on sale today. Trend Micro says in a new report how the Apple Watch and smartwatches running Google's Android Wear are not as secure as they should be.
The study stress-tested smartwatches from major manufacturers Apple, Samsung, Motorola, LG, Sony, Asus and Pebble to see how they ranked for physical protection, data connections and information stored to see which poses the biggest risk to consumers.
Trend Micro said: "Physical device protection across all smartwatches was found to be poor, with no authentication via passwords or other means being enabled by default. This would enable free access if the wearable was stolen. All devices about from the Apple Watch failed to contain a timeout function, meaning that passwords had to be activated by manually clicking a button."
The company praised the Apple Watch for having better security features than its Android Wear rivals - and the Pebble smartwatch - but the iPhone maker's wearable also contained "the largest volume of sensitive data," meaning if it were stolen it would give away the most information about its owner. Trend Micro criticised all of the watches on test for allowing data to be seen even when taken out of Bluetooth range (typically 10 meters) from the smartphone they are paired with. Data stored on the Apple Watch includes images, contacts, calendar and Passbook data, which can include documents like plane tickets.
Convenience at the expense of security
"Across all of the smartwatches that were tested, it is clear that manufacturers have opted for convenience at the expense of security," said Bharat Mistry, cyber security consultant at trend Micro. "On the surface, a lack of authentication features can make devices appear easier to operate, but the risk of having personal and corporate data compromised is much too big of an issue to forget about."
Although it is not switched on by default, the Apple Watch has a system whereby a PIN is needed to unlock it when it is first put on, then once paired with the owner's iPhone it will remain unlocked until it is taken off. The watch knows when it is removed because the heart rate monitor is always checking for a pulse. Of those tested, only the Apple Watch offered its wearer the ability to remotely wipe it if it is lost or stolen.
Mistry added: "Manufacturers must ensure that simple security features, such as limited password attempts, are enabled on devices by default. This considerably reduces the likelihood of data breaches. Smartwatch manufacturers must be cognisant of the fact they can slash data breaches by employing this best practice."
Mike McLaughlin, a senior tester and technical team leader at First Base Technologies, said: "Google and Apple have added complex layers of encryption to their Bluetooth and Wi-Fi data connections; but if someone were to steal a watch without a password enabled, any data stored would be easily compromised. The biggest risk, as with all technology, is gaining physical access to the watch, and manufacturers should ensure simple features are in place to prevent this".