Just how secure are smart watches?
Smartwatches are great. I was in a meeting with several other people last night. Sporadically a smartphone would sound off, interrupting all of us. Each time two or three would pull their phone out of their pocket or purse, check their notifications, and all but one would put it back away. Since I was wearing a Pebble smartwatch, it was easy to tell when the alert was for me: my wrist would vibrate and the alert was displayed on the watch face. It felt good knowing that I was so much more technologically advanced than all the others. But that got me thinking…
Smartwatches are super convenient, but are they opening you up to a whole new kind of security threat? Let’s see just what smart watch security is at risk.
Bluetooth isn’t a particularly secure protocol, but most people will likely agree that it’s “secure enough”. Although it may be possible for a malicious hacker to spoof your smartphone and hijack the small screen on your wrist, other than for entertainment, I don’t see why anyone would want to actually do this.
Smartwatches are thusly named because they’re not simple watches. They can do more “stuff”. That extra “stuff” generally means they can run apps. These apps can be broken out into three types: on-watch, and two kinds of on-phone, which we’ll get to in a moment.
What these apps do depends greatly upon the app itself. Some may let you find and rate restaurants. Others might show a QR code of your business card. Still more could let you pay for your coffee with another kind of barcode. Smartwatches don’t have pins, passwords, biometric readers, or any other kind of screen lock. It’s a watch, it wouldn’t be practical to have to unlock your watch every time you went to see what time it is.
Should someone snatch your watch, they could have access to your physical address (in your business card QR code), and may even be able to bill all the cups of coffee they want to your account through your coffee-shop’s on-watch app. Luckily, to provide ratings and other interactions, the watch would be fairly useless without its paired smartphone in close proximity. But that opens up an entirely new set of problems.
On-Phone Apps: Plug-ins
Some smartwatches, like Pebble 2.0, run third-party apps sort of like “plug-ins” on your smartphone. You’ve got the core app that does all the communication with the watch, but you can download apps from its own app store. Versions of these apps reside both inside the core app as well as on the watch itself.
Many of these apps require you to enter user credentials into their “plug-in” to allow your watch to communicate through the plug-in to a website or service. Take any one of the few Nest apps out there, none of which are written by Nest itself. Instead, hobbyist developers have written apps that let you see various information from your Nest Learning Thermostat (current temperature, heating or cooling status, relative humidity, and more), and even let you turn the temperature up or down. That’s really, really cool!
However, to get these apps to work you must provide them with your username and password. Yeah, that’s almost like giving your credit card number to a stranger so they can check the balance of your account for you. If you trust the person, it might be okay, but do you even know who these developers are, or what they may be doing with your credentials? Probably not.
On-Phone Apps: Companion Apps
Companion apps are just like any other app that you’d run on your Android or iPhone — and are subject to the same types of security vulnerabilities as any other app. Most of the time, this isn’t a problem since both Google and Apple are constantly looking for threats in apps.
Where problems may be more likely is when an app talks to a server — and stores information on that server. With web services becoming more popular for delivering data to connected devices, the chances that one of the servers hosting those services might be compromised is a real threat. All we need to do is look at large companies who have been recently hacked — Target, for example.
Again, the likelihood is probably low that such a hack would take place, but if it can happen to large corporations with highly paid technical staffers, it’s probably more likely that it could happen to a small shop or a hobbyist developer.
Be aware of what information you’re sharing, and with whom. Ultimately, it’s up to you to keep yourself safe. Don’t pawn that responsibility off on anyone else.