Why you shouldn’t save on smartwatches

A recent study of budget smartwatches and fitness trackers found that they are not secure from the point of view of storing the owner’s personal data. How fair this is and whether it is possible to protect yourself from leakage of confidential information from such gadgets, Moskovskaya Pravda learned from experts.

Now marketplaces offer dozens of budget smartwatches and fitness trackers at a price of about 1.5 thousand rubles. It is clear that models that at first glance are no different from expensive ones are in great demand. But it’s not for nothing that they say that a miser pays twice …

Testing cheap smartwatches and fitness trackers sold on the Internet, many of which are replicas of popular brands such as Apple, Samsung or Fitbit, conducted by cybersecurity experts from the British consumer organization Who?, revealed a number of problems in the studied gadgets. About the results of the study reported in Roskachestvo.

So, the experts identified four main shortcomings in 12 tested gadgets: excessive data collection; insecure data storage; the inability to opt out of collecting data and the lack of a blocking function.

Eight of the watches tested track the exact coordinates of the wearer. This:

— Briame D20 Pro Smartwatch Y68;

— Briame M6;

– ID115 Plus Sports Fitness Tracker Watch Heart Rate Blood Pleasure Activity Monitor Fit-Bit;

— IWO 14 Pro Series 7;

– For Fit-Bit Fitness Smart Watch Band Sport Activity Tracker Adult Kid Fitbit Step Counter;

— Cobrafly P8;

— Chuyong 2022 New Women Bluetooth Call Smart Watch Heart Rate Blood Pressure Monitoring Smartwatches IP67 Waterproof Men Smartwatch

— Aswee PUO1

At the same time, the IWO Pro Series 7 smart watch requested accurate location data more than 250 times in 5 minutes during the study. Aswee PUO1, Colmi P6 and Lige New Smartwatch models require location permission to be always on. And if you do not allow the watch to collect personal information, the application simply will not work.

IWO and Aswee gadget apps do not encrypt data when sent to or from internal services. Thus, if a hacker intercepts this data, he will be able to read it.

In addition, no device asked for a pin code after a long period of inactivity. That is, if you lose the watch or it is stolen, the new owner will have full access to your data.

In general, it turns out that attackers can, if they wish, easily obtain confidential information about the owners of such gadgets. Moreover, if you are already using them, there are practically no options to secure your data, Sergey Tsvetkov, a leading software developer at Ozon, told Moskovskaya Pravda.

“The problem of data security has always been in compact wearable devices, it’s just that they didn’t pay attention to it before,” the expert noted. – The reasons for this are different. From a technical standpoint, engineers don’t always want to embed user authentication tools such as a fingerprint scanner or a 3D face scanner. Adding such bulky modules and at the same time maintaining the mobility of the device is not an easy task. From an economic point of view, it is even more understandable: identification modules cost money, they must be bought on the side. And the cheaper the device, the more potential buyers it has.

According to Sergei Tsvetkov, the situation is further complicated by the fact that consumers, as a rule, when choosing between two devices, look at data security last. But this is a significant omission. Especially if the gadget is used by a child.

Igor Zdobnov, head of the Doctor Web virus laboratory, said that a little over a year ago, the company conducted a study of children’s smartwatches and also identified cybersecurity vulnerabilities in them.

– The data collected during the operation of the smart watch is usually transferred to the manufacturers’ servers and is available to parents through personal accounts. At the same time, the information that can be obtained using smart watches is very sensitive. If it falls into the hands of intruders, children and not only may be in serious danger, the expert warned.

Among the main identified problems, the expert named the standard control password via SMS – 123456; unencrypted data transfer and unsecured HTTP protocol for photo transfer. Malicious code was also found in one of the models.

“Our analysis showed that, in general, the safety of children’s smartwatches is at a very unsatisfactory level. The study affected several models, but in general, the problem with these devices is that different models can use similar firmware and software. For example, firmware similar to the one installed in the Wokka Lokka Q50 watch is used in a large number of other smart watch models of various brands, as well as in all kinds of GPS trackers. In addition, a standard control password via SMS is set for them. Consequently, their users are subject to the same risks as the owners of the Wokka Lokka Q50 watch,” Igor Zdobnov specified. “At the same time, new models are constantly appearing on the market, and there is no guarantee that they will not have any vulnerabilities. And the detection of a Trojan pre-installed on the Elari Kidphone 4G smart watch clearly demonstrates the danger that can be hidden in devices of this type running Android OS. Firmware for them is often created by third parties, and manufacturers rarely check their safety and integrity. Therefore, it is highly likely that at one of the stages of the production of Android watches, attackers will inject Trojans or adware into them. Similar problems are likely to occur in conventional smart watches and fitness trackers.

The expert recommends that when using gadgets, follow at least elementary security rules: set a new password immediately after purchase, and do not transfer personal and other sensitive data using smart watches, such as passwords, photographs of documents, SMS messages with important information, personal photos etc.

But even if you follow these rules, you will not fully protect yourself, says Tatyana Lynova, an analyst at the Angara SOC operational monitoring group.

“The availability of information processed by smart watches and fitness trackers to third parties can help potential attackers replenish user databases that are popular on the shadow market,” the expert explains. “For example, by continuously tracking the user’s geolocation, a cybercriminal is able to determine the address of a person’s home and work, as well as frequently visited places. Based on the received data, it is possible to organize, for example, an effective phishing attack (SMS or mailing list).

Meanwhile, according to Tatyana Lynova, it is still possible to pre-evaluate the gadget in terms of security for the user’s personal data.

– First of all, it should be remembered that both devices, using one or another application, gain access to the user’s smartphone, and therefore to the data stored / processed on it (contacts, media content, accounts, calls, messages, etc.) and functionality (camera, microphone, geolocation). If the manufacturer of the smart watch is dubious, the attitude towards the installed software should be appropriate – wary. You should pay attention, for example, to the installation source (official app store or third-party source), the developer (reputation, popularity), requested permissions, privacy policy. It can also be useful to read reviews (starting with negative ones), since even applications that are popular in official marketplaces suffer from “cheated” downloads and positive reviews.

Additional risk factors in terms of information security are the presence of a microphone, camera, SIM card slot and other functionality in gadgets. Therefore, when choosing a watch or a fitness tracker, you must definitely pay attention not only to their functions, but also to how your data will be protected. And the cheaper the smart watch, the less likely it is that your privacy will be maintained at the proper level.

Alena Bodrienko.

Photo wavebreakmedia_micro / Freepik