"transmitting updates without encryption"
is not a security flaw - as long as the updates themselves are cryptographically signed.
Which is the watch with a built-in DNS server? That's the one I want to have :-)
A study by Hewlett Packard (HP) has revealed that a hefty 100 per cent of smartwatches contain significant security vulnerabilities. As part of HP's extended shuftie over the Internet of Things thing, the company has unveiled a new report (PDF) in which it confirms that wristjob wearing wallies are even wider open to …
Because there's not a single reference in the report to the Microsoft Band. In fact the report doesn't even list what devices they tested, it just says it samples ten smartwatches. So is it in there or not? It's certainly a smartwatch.
Perhaps El Reg could drop them a line and find out what devices HP actually tested and what the results were, rather than just throw up a far from proven headline about 100% of smartwatches. I mean are there four different Android watches in there? Should they really be treated as separate? Are there marked differences in the number of vulnerabilities? Did the iWatch fail six categories and a rival fail only one? Not all the categories are equal as the first poster on this article illustrates quite nicely. El Reg should AT LEAST get a list of which devices were assessed.
Looks like the Band probably wasn't tested - From the Research Findings in the document:
"HP reviewed 10 popular smartwatches along with their paired Android or iOS mobile device and application."
Now, I know the Band can easily pair with both Android and iOS, but surely in a security test, you'd pair it with its "native" OS as well. Wouldn't you HP?
>>"Now, I know the Band can easily pair with both Android and iOS, but surely in a security test, you'd pair it with its "native" OS as well. Wouldn't you HP?"
Well if they're truly testing the device itself, it shouldn't matter which they pair it with. For something multi-platform like the Microsoft Band, if it accepts weak encryption from Android it's still a flaw even if it defaults to something more secure with Windows Phone.
Incidentally, if that's a dig at WP's popularity, plenty of them here in Europe. Come on El Reg - you ought to be able to at least get a list of which ten devices were tested if you're going to post a headline like that.
Not a dig H4arm0ny - no need to get so defensive. I know there are plenty of WP users, and not just in Europe - they're pretty popular in the sub-continent too. Of the people in my (European) office, we're evenly split between WP8.1 and Android, and I there are plenty of others scattered about the campus.
For the record, I'm one of the users (and looking to stay so with a phone upgrade imminent), although my Band is the only one in the Office.
On your other point, I do agree. Since the Band works on all three major platforms (does the Android app work in Sailfish?) it should have been tested on all three. However, since this is obviously a poor article regurgitating a poor press release announcing poor research, poorly done, I don't think it was a consideration.
Watch (pun intended) out. Your post incorrectly mentioned the Watch currently being sold by Apple.
The name you gave is trademarked to a different company.
My mentioning it that way, you risk being sued for Trademark infringement.
By continuing to describe the fruity device incorrectly, you are indirectly helping Apple in their lawsuit against the trademark holders. The holder have to ensure its uniqueness otherwise they will lose their claims to it.
They don't report on which devices they tested. They also don't even say if they tested the iWatch, just that they tested "10 of the top smartwatches" not the top 10 smartwatches. Did they test the Pebble? Did they test any of the Swiss Chronograph with smart functionality?
This is PR guff and doesn't give any details which might allow you to draw some conclusions. They don't even say when they conducted the research, or which versions of the various OS's were used. Was the iWatch even released at this point?
And the Reg article is shoddy as well - it says 100% of smartwatches have flaws. 10 is not 100%. A touch of sampling bias methinks as a minimum. Alexander Martin should be ridiculed in the same articles mocking the credulity of journalists reporting that Chocolate helps you lose weight.
There might well be vulnerabilities across the board. I think someone should research this issue, as there doesn't appear to be any extant research published.
Doh!
This post has been deleted by its author
Case in point. Security is expensive and if customers aren't bothered then manufacturers aren't going to volunteer for extra expense. Until something happens like...I dunno...burgling rings waiting until you're properly asleep before breaking in or something like that. By which point it'll be too late.
Hmm. These are watches, right? So, small cases, bugger all capability to dissipate heat[1], tiny underpowered CPUs, small low-capacity batteries.
You'd almost suspect that every CPU clock-cycle is a precious thing to be fought over, just like in old skool computing.
[1] Worse still, any heating of the case is going to be noticed and vociferously complained about by its wearer.
The danger to the iWatch wearer is significant. Consider: you are minding your own business in one of the thirty seven Starbux near work and some yob hacks your timepiece and replaces the time display with a custom one. In a trice, An iSherrif leaps from behind the organic chocolate chip cookie display and slaps you, the innocent iFan, with an iSuppoena pending ruinous sueage.
Oh the humanity!
"They don't report on which devices they tested. They also don't even say if they tested the iWatch, just that they tested "10 of the top smartwatches" not the top 10 smartwatches. Did they test the Pebble? Did they test any of the Swiss Chronograph with smart functionality?"
How many "smartwatches" are on the market anyway? I would assume "Did they test xyz?" the answer would be yes, just because I didn't think there'd even be mroe than 10 models.... That said this whole "responsible disclosure" thing of not even naming and shaming vendors is crap IMHO.