How secure are smart watches ?

50Twuncle

I have just bought myself a smart watch/ fitness device

I am surprised to discover that to download data - you simply run an app on a smartphone and bluetooth the data between watch and phone (both ways) without any security at all !
The watch continually pumps out data (24/7) - bluetooth is enabled permanently - so (in theory) anyone with a bluetoorh scanner can read my personal data !

Are genuine Fitbits the same ?
In case anyone is interested - I have ensured that my data is made up (birthdate, email, postcode etc etc)

arciere

As far as I know Bluetooth communications are encrypted.

wongataa

You have to pair Bluetooth devices. You can't just connect to them and read the data. Depending on the device you often can't have multiple Bluetooth connections running at the same time as well.

dipsomaniac

mine used to be always falling off my wrist

PRAISETHESUN

The range for bluetooth is quite limited, so someone would have to get rather close in order to remotely hack the device. Not impossible, but it would take enough effort to discourage the vast majority of people. It'd most likely be from opportunist types, such as someone sitting on the bus/train who happens to just be looking for an unsecured device to mess with.

In terms of data encryption, bluetooth is indeed encrypted between the two devices but if your device is using the default pairing passcode (which is usually available in the products manual) then that encryption is mostly worthless. Most devices don't support multiple independent connections, so if you are paired with your phone than I wouldn't worry about someone else trying to connect. That said, I think it's a good practice to not keep personal information on the device unless you really have to.

50Twuncle

PRAISETHESUN wrote: »

The range for bluetooth is quite limited, so someone would have to get rather close in order to remotely hack the device. Not impossible, but it would take enough effort to discourage the vast majority of people. It'd most likely be from opportunist types, such as someone sitting on the bus/train who happens to just be looking for an unsecured device to mess with.

In terms of data encryption, bluetooth is indeed encrypted between the two devices but if your device is using the default pairing passcode (which is usually available in the products manual) then that encryption is mostly worthless. Most devices don't support multiple independent connections, so if you are paired with your phone than I wouldn't worry about someone else trying to connect. That said, I think it's a good practice to not keep personal information on the device unless you really have to.

What if there's no passcode - and it just connects automatically ?
and as for "short range..." - my bluetooth headphones connect at a range of at least 100 feet (through solid brick walls) at the end of the garden !!

System

50Twuncle wrote: »

I have just bought myself a smart watch/ fitness device

I am surprised to discover that to download data - you simply run an app on a smartphone and bluetooth the data between watch and phone (both ways) without any security at all !
The watch continually pumps out data (24/7) - bluetooth is enabled permanently - so (in theory) anyone with a bluetoorh scanner can read my personal data !

Are genuine Fitbits the same ?
In case anyone is interested - I have ensured that my data is made up (birthdate, email, postcode etc etc)

Nothing is 100% secure but this is Apple’s Info regarding the Watch.....

Apple Watch uses the security features and technology built for iOS to help protect data on the device, as well as communications with its paired iPhone and the Internet. This includes technologies such as Data Protection and Keychain access control. The user’s passcode is also entangled with the device UID to create encryption keys.

Pairing Apple Watch with iPhone is secured using an out-of-band (OOB) process to exchange public keys, followed by the BTLE link shared secret. Apple Watch displays an animated pattern, which is captured by the camera on iPhone. The pattern contains an encoded secret that is used for BTLE 4.1 out-of-band pairing. Standard BTLE Passkey Entry is used as a fallback pairing method, if necessary.

Once the BTLE session is established, Apple Watch and iPhone exchange keys using a process adapted from IDS, as described in the iMessage section of this paper. Once keys have been exchanged, the Bluetooth session key is discarded, and all communications between Apple Watch and iPhone are encrypted using IDS, with the encrypted Bluetooth, Wi-Fi, and Cellular links providing a secondary encryption layer. Key rolling is utilized at 15-minute intervals to limit the exposure window, should traffic be compromised.

To support apps that need streaming data, encryption is provided using methods described under “FaceTime” in the Internet Services section of this paper, utilizing either the IDS service provided by the paired iPhone or a direct Internet connection.

Apple Watch implements hardware-encrypted storage and class-based protection of files and Keychain items, as described in the Encryption and Data Protection section of this paper. Access-controlled keybags for Keychain items are also used. Keys used for communications between the watch and iPhone are also secured using class-based protection.

When Apple Watch isn’t within Bluetooth range, Wi-Fi or cellular can be used instead. Apple Watch won’t join Wi-Fi networks unless the credentials — which must have previously been synced to Apple Watch — are already present on the paired iPhone. If Apple Watch is out of range of iPhone, any new network credentials on iPhone aren’t on Apple Watch.

Apple Watch can be manually locked by holding down the side button. Additionally, motion heuristics are used to attempt to automatically lock the device shortly after it’s removed from the wrist. When Apple Watch is locked, Apple Pay can only be used by entering the watch’s passcode. Wrist detection is turned off using the Apple Watch app on iPhone. This setting can also be enforced using an MDM solution.

The paired iPhone can also unlock the watch, provided the watch is being worn. This is accomplished by establishing a connection authenticated by the keys established during pairing. iPhone sends the key, which the watch uses to unlock its Data Protection keys. The watch passcode isn’t known to iPhone nor is it transmitted. This feature can be turned off using the Apple Watch app on iPhone.

Apple Watch can be paired with only one iPhone at a time. iPhone communicates instructions to erase all content and data from Apple Watch when unpaired.

Enabling Find My iPhone on the paired iPhone also allows the use of Activation Lock on Apple Watch. Activation Lock makes it harder for anyone to use or sell an Apple Watch that has been lost or stolen. Activation Lock requires the user’s Apple ID and password to unpair, erase, or reactivate an Apple Watch.


.....Needless to say I don’t give it a second thought on how secure data is between my devices as I trust Apple to keep working on protecting my data.

Johnmcl7

50Twuncle wrote: »

What if there's no passcode - and it just connects automatically ?
and as for "short range..." - my bluetooth headphones connect at a range of at least 100 feet (through solid brick walls) at the end of the garden !!

Bluetooth devices without passcodes are usually ones where security doesn't matter such as BT audio devices or similar. Bluetooth devices can have different ranges so again audio devices tend to have a very wide range since they're more likely to need them and the power usage tradeoff is worth it.

Any smartwatch I've used requires pairing with a passcode and they're very short range, only about a metre or so before it disconnects. For the smartwatch to be used with a phone it needs to be set to pairing mode and then the phone needs to confirm the code on the watch screen.

John

AndyPix

OP - May i ask what exactly your speciality was during your long career in proper IT ?


Its just that you ask the most basic questions regularly and dont seem to understand basic technologies.


Was your career in bespoke systems ?

AndyPix

Come on - you are online - answer the question .. It has been asked of you before and you always ignore it

indesisiv

Johnmcl7 wrote: »

Any smartwatch I've used requires pairing with a passcode and they're very short range, only about a metre or so before it disconnects. For the smartwatch to be used with a phone it needs to be set to pairing mode and then the phone needs to confirm the code on the watch screen.

My garmin watch picks up Bluetooth notifications from my phone from significantly further away than 1m!
I would say 10m is a lot more realistic as I can leave my phone in the living room, walk through the house and sit in the garden and still get notifications on my watch.