Updated on September 9, 2020 at 12:23 am
Key Takeaways:
• Data collected initially on the watch and passed through to an application is often sent to multiple backend destinations (often including third parties)
• Watches that include cloud interfaces often employed weak password schemes, making them more susceptible to attack
• Watch communications are trivially intercepted in 90% of cases
• Seventy percent of watch firmware was transmitted without encryption
• Fifty percent of tested devices offered the ability to implement a screen lock (PIN or Pattern), which could hinder access if lost or stolen
• Smartwatches that included a mobile application with authentication allowed unrestricted account enumeration
• The combination of account enumeration, weak passwords, and lack of account lockout means 30% of watches and their applications were vulnerable to Account Harvesting, allowing attackers to guess login credentials and gain access to user account