0

For the longest time, every pun intended, I was a smartwatch hater. How dumb is that, a stupid-expensive smartwatch that really does nothing much at all. I mean, what's the point of wearing a watch that tells you when there's an email on the phone that's in your pocket? Or, indeed, of a watch at all when that phone in your pocket also tells you the time?

The fact that smartwatches looked so bad, unless you like the kind of design on your wrist that shouts 'came free with a tankful of gasoline' that is. Even those usually uber-cool designers could only come up with a rectangular slab for the Apple Watch. And don't get me started on the Motorola 'hockey puck on a strap' that couldn't even throw in a fully circular display on its fully circular watch face.

Then a few things started happening all at once. Smartwatches that actually looked like watches, that weren't so huge that only tech savvy Orangutan could carry them off, and that had some real world functionality combined with practical usability started to appear. So this hater broke, and bought one.

I'm not a fan of square watches, and I don't currently run an iPhone, so that meant the Apple Watch wasn't an option for me. I didn't much like the Android Wear UI, despite there being some interesting watch designs appearing from the likes of Huawei.

I did, however, think the rotating bezel as a functional quick select wheel on the Samsung Gear S3 models was a brilliant piece of design. The watch looked like a watch and, coupled to a Samsung Galaxy S8, everything just worked as I expected.

So how dumb did I feel, as a security guy, when news broke soon after that the Samsung 'Tizen' operating system used by the watch was found to be rather wanting when it came to the quality of the coding?

Most of the vulnerabilities uncovered were really more applicable, in terms of actionable exploits, to the Samsung range of smart TVs running the OS rather than smartwatches though. Samsung Galaxy phones are Android devices, so not impacted. A bunch of remote code execution holes are always going to be worrying, but actually exploiting them for any real gain on a smartwatch is a lot harder than you might think from some of the media headlines at the time.

The thing is, media headlines are not always that accurate a barometer of real world risk. Take when the MoLe data theft 'threat' to smartwatch users was widely reported a couple of years ago. I was one of the few reporters to suggest it posed 'no real world threat' despite many claims elsewhere that it did.

The Motion Leaks Through Smartwatch Sensors (MoLe) threat was actually a labs-based side-channel attack. It was based on research about grabbing the information that someone wearing a smartwatch was typing, by monitoring the motion sensor readings in the watch. Sounds scary right?

Yeah, but it wasn't. It really wasn't. Here are just some of the lab conditions required for the threat to be successful: both victim and attacker had to be wearing the exact same model of watch, and the victim needed to wear it on their left hand and have already been duped into installing a malware app onto the watch. Oh, and it only worked if the typing in question was on word at a time rather than flowing strings of text. And, yep there's more, was typing using all fingers in the accepted manner.

Still, it could grab passwords, right? Yep, if all of those conditions were met and the password only contained valid English words. So, the sort of password that could be easily cracked using a dictionary attack anyway. Rendering all this dumb smartwatch approach pointless.

That's not to say that there aren't security risks for smartwatch users, of course there are. Data storage and user authentication become bigger problems when smartwatches start to be used as a conduit for mobile payments. In fact, most of the security issues that are being talked about for smartwatches today and the same ones we talked about for smartwatches a few years ago. For the most part those questions got answered, and they are being answered on the wrist as well.

Thankfully the attack surface, both in terms of user take up and physical resource, is pretty small. The bad guys prefer to invest their time and effort on attacking platforms that have a critical mass that can lead to a profitable return. The relatively small number of smartwatch users, spread across three main operating systems, combined with the limited amount of memory to install malware and the limited amount of onboard data to exfiltrate makes it a very hard criminal sell.

Of course, that the watch is conduit to a smartphone which is a conduit to other networks remains a real risk. And that it uses Bluetooth, a communications channel already well exploited by the bad guys, to connect to the smartphone can increase the attack surface of both watch and phone.

That smartwatches are really designed to view data rather than create or store it, is something of a saving security grace. It makes them less vulnerable than the smartphones which provide that data at any rate.

Looking beyond the security side of the fence, I have to admit that I am now quite the convert to smartwatch way of life. I don't find it a dumb device, nor do I think you are dumb to buy one (although I guess I would say that now, wouldn't I?)

So what do I use my smartwatch for then, that I couldn't do without it? I will start with the most obvious and probably most contentious thing: telling the time. Yes, I know that I could tell the time on a 'normal watch' or by looking at my smartphone. However, I work in multiple time zones and so have a watch face that lets me keep a secondary time on display all the while. What's more, my world clock is just a button press away on my wrist where the current time in a further five cities is to hand. More literally, on my wrist.

Then there's how that time is displayed. You can download a ton of different clock apps, mostly truly horrendous, for your mobile platform of choice I guess. You could also have a bunch of different watches for different occasions. I prefer to carry a host of different watch faces, and that's not really doing some of them justice, all right there on the same watch. It takes me a matter of seconds to have a new watch on my wrist, and the number of new watches available is vast. Analogue style, digital style, just displaying the time, time and date, time in different zones, battery usage, health info, weather forecast, all wrist-based options.

Then there's the second most important thing for me, the notifications. I can see my email, my text messages, my calls all at a glance of my watch. This sounds like a nonsense, no different to looking at the phone, until you have actually lived it for a while. Then it becomes something you really couldn't do without. Especially as I can send templated responses right from the watch, reject or answer a call without resorting to the phone handset. I rather like being able to receive one-time passcodes on my wrist as well; much quicker when accessing a service than using my phone.

I'm not a health freak, as anyone who has seen me will testify, but having fitness band features built into a watch makes a lot of sense. I remember all those who argued that nobody needed or wanted an MP3 player in a phone, and ditto a camera for that matter. Look how that panned out. The fewer devices the better, which could be an argument against the smartwatch of course. However, I wear a watch anyway so being able to incorporate a fitband makes sense. And, since owning a smartwatch, I have actually started to take more of an interest in my health and do strive to beat step targets, keep an eye on my heart rate etc. Not least as my watch prompts, or annoys, me into being more active.

For sure, a smartwatch isn't going to be for everybody and there remain plenty of things the cynic in me dislikes. The price for one, as a decent smartwatch isn't cheap and with uptake slower than expected globally I imagine prices aren't going to drop at the high-end anytime soon. Then there's the battery life, both in terms of how much you get in-between charging and overall life expectancy. The former has improved, at least with the device I wear, to the point that I get two days of usage out of a charge. That said, I'm in the habit of charging overnight using the charger/stand anyway. The latter is more problematical as the batteries in most smartwatch devices are not replaceable. I'm guessing the vendors are thinking that after three years or so the user will be wanting to upgrade to a newer model. They are, sadly, probably right - but it still sucks.

Am I dumb for buying a smartwatch? Possibly. Are smartwatches dumb? Far from it, and they can only get smarter. You just have to give them a chance...

Edited by happygeek

2
Contributors
1
Reply
13
Views
1 Month
Discussion Span
Last Post by Reverend Jim
1

I think a cool smartwatch app would be to have it pair with your self-driving car. If the smartwatch app detects that you are having a heart attack it drives you to the nearest hospital while calling 911.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.