Galaxy Smartwatch. Photo: Josh Valcarcel/WIRED

Key Takeaways:
• Data collected initially on the watch and passed through to an application is often sent to multiple backend destinations (often including third parties)

• Watches that include cloud interfaces often employed weak password schemes, making them more susceptible to attack

• Watch communications are trivially intercepted in 90% of cases

• Seventy percent of watch firmware was transmitted without encryption

• Fifty percent of tested devices offered the ability to implement a screen lock (PIN or Pattern), which could hinder access if lost or stolen

• Smartwatches that included a mobile application with authentication allowed unrestricted account enumeration

• The combination of account enumeration, weak passwords, and lack of account lockout means 30% of watches and their applications were vulnerable to Account Harvesting, allowing attackers to guess login credentials and gain access to user account

Smartwatch Research Report

Previous Internet of Things Reports