Want to keep your private data private? Maybe you should postpone that smartwatch purchase.
Researchers at the University of New Haven have shown that they can extract personal information from the LG G Watch and from the Samsung Gear 2 Neo . Specifically, they retrieved calendar, contacts and pedometer data from the G Watch, along with the watch user’s email address. On the Gear 2 Neo, they got health, email, messages and contacts data. None of it was encrypted.
“It was not very difficult to get the data, but expertise and research was required,” said Ibrahim Baggili, director of the university’s Cyber Forensics Research and Education Group (UNHCFREG). He and co-authors Jeff Oduru, Kyle Anthony, Frank Breitinger and Glenn McGee plan to present their findings in a paper for a digital forensics conference in August.
Our personal data and who access to it has become an increasingly pressing concern, especially as the everyday objects around us — from watches to our clothes — get smarter, more connected and share more information with each other. The ease with which Samsung’s and LG’s smartwatches were hacked speaks to the importance of data encryption.
Not many people yet own smartwatches, but the numbers are sure to grow in the coming months and years. Market researcher Strategy Analytics said that in 2014 device makers including Samsung, LG, Motorola and Pebble shipped a total of only 4.6 million smartwatches worldwide, and while it forecasts a jump to 28.1 million in 2015, that’s still a blip compared with the number of smartphones moved.
Much of the increase this year is expected to ride on the back of the Apple Watch, which went on sale in late April. Apple’s gadget won’t just spark the market — with its range of capabilities, it also points to just how central smartwatches could soon become in our digital lives, tracking everything from our health and fitness data to our phone calls and electronic payments.
Encryption can help keep people’s data out of prying hands by scrambling that information so that it’s readable only by those with the key to it — but even then there are limits, in particular when the prying hands have access to a person’s smartphone, laptop or smartwatch. Beyond that, there’s a broader debate over how much encryption should be allowed. Law enforcement officials have advocated for fewer protections, which would allow them to more effectively track down criminals and monitor terrorist plots. But the easier it is for government agencies to spy on members of the public. the more open the door is for criminals looking to engage in identity theft.
It would be easy for device manufacturers to encrypt smartwatch data, Baggili said, but that’s no guarantee of safety. “Just because encryption is enabled does not mean it is implemented in a way that does not allow us to defeat the encryption,” he said.
The Gear 2 Neo uses Samsung’s Tizen operating system, while the LG G Watch is one of several models that uses Google’s Android Wear operating system. The researchers obtained the data both by poking through the watches’ files and finding traces of watch activity on the Samsung Android smartphone to which they were linked. The researchers also have begun testing the Apple Watch.
Google didn’t comment for this story, and Apple didn’t respond to a request for comment. Samsung said in a statement that the company “takes consumer privacy and security very seriously and our products are designed with privacy in mind. If at any time we identify a potential vulnerability, we act promptly to investigate and resolve the issue.”
And LG Electronics said, “At LG, we take security very seriously and will make every effort to protect the privacy of our customers. As such, we make it a priority to investigate any and all breach of privacy issues related to LG products for immediate resolution.”
The University of New Haven has been working on privacy and encryption matters that affect consumers. In 2014, it found that many smartphone communications apps were transmitting messages and photos without encryption‘s protective shield of data-scrambling technology. And in 2015, it released Datapp, a Windows program designed to let people check for that kind of unencrypted data themselves.
Apple, Google and Microsoft have moved to encrypt the file systems used to store data on their operating systems — often over the objections of governments that want law enforcement to be able to more easily use that data in their investigations. On Monday, the Software & Information Industry Association urged the Obama administration to avoid any “workarounds” that would weaken encryption.
“We appreciate that, where appropriate, law enforcement has the legitimate need for certain information to combat crime and threats,” the association said in its letter to Obama. “However, mandating the weakening of encryption or encryption ‘workarounds’ is not the way to address this need.”
The association counts Google and Apple as members, and Microsoft joined those two companies and dozens of others in signing a letter in May with a similar message.
Regardless of what the world’s governments decide, it’s best to be careful for now. “Do not forget your smartwatch the next time you are taking a shower at the gym,” Baggil said.
Update, June 12 at 11:16 p.m. PT: Adds comment from LG Electronics.