Researchers Uncover Vulnerabilities in Smartwatches
The University's Cyber Forensics Research and Education Group is getting worldwide attention for revealing that its researchers could extract personal information from smartwatches made by LG and Samsung.
The discovery comes only months after the group shed light on security flaws in smartphone apps used by more than 1 billion subscribers.
"It was not very difficult to get the data, but expertise and research was required," said Ibrahim Baggili, director of UNH's Cyber Forensics Research and Education Group. He and co-authors Jeff Oduru, Kyle Anthony, Frank Breitinger, and Glenn McGee plan to present their findings in August at the 10th Annual International Conference on Availability, Reliability and Security ("ARES") in France.
"Specifically, they retrieved calendar, contacts and pedometer data from the G Watch, along with the watch user's email address. On the Gear 2 Neo, they got health, email, messages and contacts data. None of it was encrypted." - CNET
Not many people yet own smartwatches, but the numbers are predicted to grow in the coming months and years. Market researcher Strategy Analytics said that in 2014 device makers including Samsung, LG, Motorola and Pebble shipped a total of only 4.6 million smartwatches worldwide. It forecasts a jump to 28.1 million in 2015.
The research was reported on by CNET, a leading reviewer of technology products, and the findings have been featured in more than 90 media outlets across the globe, with stories written in English, Chinese, Spanish, German, Korean and Turkish, among other languages. Here's a story about their research on WT Vox, and another by International Business Times.
Last month, UNHcFREG released "Datapp", a free application that helps users find unencrypted data leaked from applications on their phones and computers. Watch the video describing Datapp.
Datapp was developed in response to demand from people who contacted the group after its researchers received worldwide attention for revealing security flaws, breaches of privacy and additional vulnerabilities in chat, dating and other social media apps used by more than one billion subscribers.
"Watch What You Wear"
The paper detailing the research is entitled "Watch what you wear: preliminary forensic analysis of smart watches."
The paper's abstract reads as follows:
This work presents preliminary forensic analysis of two popular smart watches, the Samsung Gear 2 Neo and LG G. These wearable computing devices have the form factor of watches and sync with smart phones to display notifications, track footsteps and record voice messages. We posit that as smart watches are adopted by more users, the potential for them becoming a haven for digital evidence will increase thus providing utility for this preliminary work. In our work, we examined the forensic artifacts that are left on a Samsung Galaxy S4 Active phone that was used to sync with the Samsung Gear 2 Neo watch and the LG G watch. We further outline a methodology for physically acquiring data from the watches after gaining root access to them. Our results show that we can recover a swath of digital evidence directly form the watches when compared to the data on the phone that is synced with the watches. Furthermore, to root the LG G watch, the watch has to be reset to its factory settings which is alarming because the process may delete data of forensic relevance. Although this method is forensically intrusive, it may be used for acquiring data from already rooted LG watches. It is our observation that the data at the core of the functionality of at least the two tested smart watches, messages, health and fitness data, e-mails, contacts, events and notifications are accessible directly from the acquired images of the watches, which affirms our claim that the forensic value of evidence from smart watches is worthy of further study and should be investigated both at a high level and with greater specificity and granularity.