标签: smartwatch

Mobile phone companies have been pushing smartwatches as a way to pump up a saturated and declining market, but there are good reasons to resist the marketing hype and not buy one. According to a report titled "Internet of Things Security Study: Smartwatches" just released by HP Fortify, as serious as security vulnerabilities have been on smartphones, they may be worse on smartwatches.   The Fortify team tested 10 Android- and Apple iOS-based devices and found that all contained significant vulnerabilities, including insufficient authentication, lack of encryption, and privacy concerns. Included in the testing were Android, iOS cloud, and mobile application components. As result of these findings, Jason Schmitt, general manager, HP Security, Fortify, questions whether smartwatches are designed adequately to store and protect the sensitive data and tasks they are built to process.   All Android- and iOS-based wearable smartwatches in HP Fortify's tests failed in at least one category, with failures in the 30 to 70 percent range in some specific categories.   Duh! This is not new information, especially in relation to Android based designs. Reports going back over several years have revealed multiple security flaws and hacks on smartphones, especially Android-based ones. So how can we expect anything better on smartwatches?   But the results of the Fortify tests tell me that the situation is worse than I expected. The team found serious problems falling into five broad categories:   Insufficient user authentication/authorization Every smartwatch tested was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after failed password attempts. Thirty percent of the units tested were vulnerable to account harvesting, meaning an attacker could gain access to the device and data due to a combination of weak password policy, lack of account lockout, and user enumeration. As on smartphones, the smartwatches tested allow users to upload their name and phone number address book to a server on the cloud, which then returns (enumerates) a subset of the user's contacts that are also using the service. Hackers can then use this enumeration list to derive useful information about the user’s device, such as the operating system to perform system specific attacks.   Lack of transport encryption While 100 percent of the test products implemented transport encryption using SSL/TLS, 40 percent of the cloud connections make use of weak security cyphers and are vulnerable to open source secure sockets layer-based POODLE attacks due to their continued use of SSL v2.   Insecure interfaces Thirty percent of the tested smartwatches used cloud-based web interfaces had security problems, the most serious of which had to do with account enumeration.   Insecure software/firmware 70 percent of the smartwatches had problems with protection of firmware updates, including transmitting firmware updates without encryption. While many updates were ‘signed’ to help prevent the installation of contaminated firmware, the lack of encryption on the devices raised the possibility that the files could be downloaded and analyzed. Privacy concerns All of the smartwatches tested, similar to their smartphone big brothers, collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information, with little thought given to account enumeration issues, as well as continuing the use of weak passwords on some products.   The Fortify report offers some suggestions for correcting these problems. On the provider side, they suggest: - Ensure that transport layer security (TLS) implementations are configured and implemented properly - Protect user accounts and sensitive data by requiring strong passwords - Implement controls to prevent man-in-the-middle attacks - Avoid using apps that require access to the cloud for operation; instead provide as many as possible on the smartwatch device   But much of the burden still falls on the end user. Fortify’s report suggests that anyone using a smartwatch protect themselves by doing the following: - Don't enable sensitive access control functions (e.g., car or home access) unless strong authentication is offered - Enable security functionality (e.g., passcodes, screen locks, and encryption). - For any interface such as mobile or cloud applications associated with your watch, make sure that strong passwords are used - Do not approve any unrecognized pairing requests.   The Fortify report does not identify specifically which devices failed or what OSes were used on each. But based on Android’s abysmal security record on smartphones, I’m pretty certain that most of the smartwatches that failed were based on the Android platform. I would like to think that the Android-based smartwatches were using Version 5.1.1 (Lollipop) or a later version with their additional security permissions capabilities. But given the poor performance of most of the smartwatches in these tests that is a risky assumption to make.   Android looms large in the problem with cell phone security.   I also suspect that there were few failures on Apple iOS-based smartwatches. This speculation is based on three factors that I think could affect security. One is the difference between proprietary and open source operating systems and the degrees of control a company can impose on those who build apps for their OS. Second, the degree to which platform providers have been incorporating security features into their OS and, third, the degree to which they can force developers to adhere to the rules they have set down.   Apple's iOS is proprietary and all apps are written to an internal set of application programming interfaces. To qualify apps to run in the iOS environment, developers usually go through a rigorous set of procedures. By contract, adherence to Apple’s requirements is enforced by the threat of lawsuits and fines.   Google's Android, however, is an odd mix of open source and proprietary components. Android is an open source distribution of Linux OS with a Java-based API wrapper, neither of which originally were designed with security in mind. While Linux can be made secure, it’s an expensive process so it is only done where the application environment requires it.   For any open source platform, hardware vendors download a distribution to which they can make additions or subtract features outside the basic core elements. Because of the mixed open source/proprietary nature of Android, there do not seem to be any means by which Google has the same kind legal or institutional muscle that Apple can impose. As far as I can see, any security enhancements that Google and the associated developer community have come up with are only recommendations, and not easily enforceable.   So if you are going to buy a smartwatch, I suggest using only those features that do not involve connecting with the outside world, such as using it to see what time it is. Unfortunately, other than that, it’s getting harder to determine if and when that occurs. Because of limited power, memory, and compute resources, more and more apps you download to your Android-based smartwatch are not really installed on your smartwatch but reside in the cloud somewhere, even some you would assume in no way involve connectivity.

  The market for the wearable devices is estimated to reach $19 billion in the next 5 years. We are already seeing the biggies like Google and Samsung launching several innovative products in this space and others like Microsoft and APPLE making large investments in this segment.  We are also seeing other products like the crowd funded Pebble Smartwatch.   The beauty of this development is that it’s just not confined to one section of the users but is all pervasive like what laptops and computers used to be for the earlier generation. While Google and Samsung are announcing consumer focused products, the likes of Motorola solutions is doing it for the Industrial segment and Microsoft is investing in this area presumably for the gaming and mobile technologies.   Rewinding a little, the first wearable computer was the calculator watch introduced in 1980 and even Bluetooth headsets of the 90’s and early 2000’s. But today, what has truly caught the imagination of everyone is the latest trend in the wearable technology including the smart watches, wearable computers and the hands-free, voice activated head mounted computers that can be used by a lineman checking the electrical lines on top of a 100 meter pole, to a Doctor performing a complex neurosurgery to a fire fighter or an industrial workers doing machinery repair. The sheer vastness of the usage and the range of wearable computers available are just amazing.   Expanding the scope further for professional applications like some of the usage scenarios discussed earlier, these devices will be the next generation productivity tools providing connectivity and accessibility to expert advice/virtual presence resulting in large cost and time savings.   Taking a peep at the platform used to building these devices, we can see that majority of today’s smart devices are built around the traditional dual or quad core SoCs which is same as today’s smart phones. In addition, integration of radios like Bluetooth, WLAN and GPS is imperative for these smart devices. This along with a host of sensors like camera sensor, Proximity sensor, Ambient light sensor, Thermal sensor, Accelerometer and Gyroscope and integration of speech recognition, gesture recognition and video streaming is required to make these devices truly an extension of our physical self. Devices which are used by professionals for industrial applications also need to have the  backend integrated with a server and cloud to provide access to professional information and features like real time video chat, video streaming to remote locations etc.   Looking at these devices themselves, a question to be asked is, do we require such heavy duty, high power silicon commonly used in cell phones tablets to be integrated in the wearable devices? It’s not just the bulky batteries that can’t be accommodated in the small wearable devices.  The heat and radiation emitted by traditional cellular devices also needs to be eliminated from the wearable devices. As these devices are going to be in contact with the user for extended periods of time (8 hours+), it is very important to ensure that the radiation the heat emission is reduced to levels that will not affect our brain or other body parts. So how do we do that?   The situation is similar to when we were using processors in PCs for the first generation of embedded devices till we came up with SoCs exclusively for embedded products.  We will have to reinvent all over again!!! Just like we developed the electronic components SoCs, middleware and software applications for mobile devices, we will have to address the wearable devices market which will open up huge opportunities for early starters with the right ideas.     By, Srinivas Panapakam General  Manager – Product Engineering Services Division Mistral Solutions, Bangalore http://www.linkedin.com/in/srinipanapakam  

后PC时代的来临，让智能型手机、平板电脑…等这些可携式电子产品大行其道，同时各大厂商也着手开发穿戴式装置产品，例如Google、SONY、Nike与高通（Qualcomm）等厂商均竞相布局穿戴式装置战场。其中又以智能手表为目前最为热门的产品。虽然市面上许多不同的厂牌都有推出智能手表，但并不是每一支手表都能获得消费者的青睐。今年九月底上市的三星（Samsung）智能手表Galaxy Gear，近日来却不断传来许多负面消息，据报导指出购买三星Galaxy Gear的消费者中有多达30%的消费者在使用过后退货，显示许多消费者在实际使用后对该产品不甚满意。IHS分析师直言此产品的三大缺点为：（一）300美元的售价过于高昂，（二）电池续航力不足，（三）有限的兼容性，以致于无法与其他厂牌的手机相连。由此观之，智能手表在产品设计与开发上仍有长足的进步空间。 图一：三星的 Galaxy Gear 被批评为「一款伪装成商业产品的原型机 （A prototype masquerading as a commercial product）」─Ian Fogg，IHS分析师 综观而论，市面上消费者可以选择的智能手表有分为触控式和按钮式操作接口，有的具有拍照功能甚至能够语音控制。面对智能手表这新兴市场，百佳泰（Allion Labs, Inc.）身为测试验证专家，与时俱进，对智能型手表的产品发展与市场走向保持热烈关切。为掌握目前市面上智能手表的真实效能及确保产品的接口方便用户的操作使用，我们近日从市场上挑选了三款不同品牌的智能手表进行测试，透过五位熟知电子产品的专业用户（Power User）的试用心得，以使用者的角度就智能手表的外观、用户接口（User Interface；UI）与功能性三大项进行评比分析。 图二：本次受测产品由左到右依序为： SONY Smart Watch 2 、 Martian Passport Watch 、 Pebble Smart Watch 此次所购买的智能手表都是今年第二季到第三季所发行的产品（如图二），依序为SONY的Smart Watch 2、Martian的Passport Watch与Pebble的Smart Watch。不同于一般的可携式产品有着差不多的外型，智能手表在先天的设计上风格迥异。SONY的Smart Watch 2采取触控的互动方式，搭配画素220 × 176 pixel的1.6吋LCD屏幕。Martian的Passport Watch则是融合传统的手表指针表面，并在下方搭载了一个96 × 16 pixel只能显示文字不能触控的OLED屏幕，表面左边为两个控制钮，右边则是做调整指针时间用。Pebble的Smart Watch则是采电子书（e-paper）的1.26吋屏幕，画素144 × 168 pixel，表面左右两边共有四个控制按钮，同样不具触控功能。 表一：本次受测产品的规格数据 为求报告精准，针对产品外观、用户接口与功能性三大主题又依序细分为各个不同评分测项，五位专业使用者由最满意10分到最不满意0分依序给分。如遇到测项无法执行或出现兼容性问题，则一律以0分计算。 表二：外观及用户接口（ UI ）评分表 产品外观 如上表二所示，金属质感搭配触控面板的SONY在「穿戴舒适度」和「设计感评分」为三个产品中表现最好的，胜过仅搭载文字OLED表面的Martian与电子书表面的Pebble。然而因为SONY此款表带采用蝴蝶扣款式，无法自行更改表带松紧度，因此在「穿戴方便性」上输给Pebble。   用户接口（ UI ） SONY在用户接口的三个测项：「接口流畅度」、「接口字体大小」与「接口字体辨识度」，皆拿下评分第一，显示用户偏好这个能同时显示六个APP的 1.6吋屏幕。然而SONY的Home键触控时会有无法感应的现象；此外，因为Pebble在表面两旁的按钮设计不方便用户操作，所以分数最低。 表三：功能性评分表 功能性 市面上的智能手表大抵是为智能型手机的延伸，因此在操作上需与智能型手机或是平板电脑上的APP互连作用，所以在智能手表的功能性评分部分，我们再独立细分出针对智能手表APP使用满意度的测试评分项目。在和手机配对的过程中，SONY因为有NFC所以能够快速与手机配对，开启蓝牙联机，因此在「与手机安装配对过程容易度」上获得最高分，同时在「APP操作接口外观」与「APP操作接口易用度」也一致获得最高分。而「基本功能使用满意度」评比上，SONY在「SMS简讯提醒」和「Mail（Gmail）提醒」表现最好，但是在「接听来电功能」上却输给Martian，因为Martian可以直接透过智能手表上接听电话，并藉由手表内建的抗噪麦克风和扩音喇叭直接交谈。然而Martian虽然是这三个产品中唯一一个具有声控拨号功能的装置，但是其表现不甚理想，因为声控功能未与用户语言地区同步，因此造成语音拨号的准确率低。 目前市面上的智能手表大多为协助智能型手机的角色，透过蓝牙装置提醒用户手机所接收到的新通知或来电，因此确保智能型手机和智能手表的稳定互连性格外重要。本次评比我们选了六支不同厂牌操作系统为Android的智能型手机和两支iOS手机与这三支智能手表配对，测试其基本功能，包含了SMS简讯、来电提醒与社群软件通知应用。由表四可看出这三支智能手表和智能型手机在配对上皆有兼容性问题，例如LG Nexus 4和SONY智能手表就Mail和Facebook提醒的应用功能上，存在着兼容性问题，或是SONY XPERIA Z收到Facebook通知但是Martian的手表却没接收到。根据百佳泰的专家团队指出，而这显示出厂商需要全面性的兼容性测试，让产品能完整兼容于其他各式智能型手机上，才能确保用户的使用质量并达到良好的用户经验。此外，百佳泰富有多年经验的蓝牙质量专家（Bluetooth Qualification Expert，BQE）在测试过后发现Martian的Passport Watch虽宣称具备蓝牙4.0 Low Energy（低功耗）技术，但实际使用上并未实现可用的应用规范（Profile）发挥Low Energy功能。而Pebble的Smart Watch在官网上标注是搭载蓝牙4.0技术，但经验证后发现并不是真正地搭载蓝牙4.0技术，只能说是蓝牙2.1+EDR的规格，与其所宣称的规格有所出入。因此开发商更需要专业厂商以专业角度提供蓝牙质量认证测试服务，确保产品符合蓝牙认证技术规范的规格标准，才能取得蓝牙认证与产品列表资格，并正确兼容于规格相对应的装置。 表四：不同款式的智能型手机与三支智能手表配对测试一栏表 Overall Review:   SONY Smart Watch 2 是个具备质感与功能扩充性的产品，虽然整体UI表现良好，但是如果提升屏幕显示的分辨率的话，将能吸引更多的潜在客户。智能型手机上的每个APP需手动个别安装，增加使用者初次使用的复杂度，另外手表本身的Sleep Mode并非顺畅的渐暗设计，容易让用户混淆误以为装置当机或屏幕有问题。热门社群网站APP经测试过后，发现Twitter上的推文无法全部设为已读，且Facebook会遗漏通知或是通知延迟收到。建议能够自由移动表面上APP的位置，同时能自动感应光线调整亮度，并加上语音控制功能。   Martian Passport Watch 智能型手机上的APP简单好用，不复杂。不过表面过于笨重，配戴不舒适。此外，手表的蓝牙联机失败率高、部分APP无法联机、声控拨号准确率低，且透过手表启动的相机无法自动对焦。显示面板的待机画面过于单调，建议放大屏幕并改善表身厚度与重量。   Pebble Smart Watch 要先下载文件到智能型手机上再转储存手表上的设计，不方便使用者安装，且11MB 的APP相对来说档案过大。APP接口过于单调但是进入设定画面时太多文字叙述，不易阅读，且没提示要按手表上右边的哪个按钮，造成安装设定上的不方便。不支持多国语言为一大缺点，且脱机时APP会持续搜寻，造成智能型手机高耗电量。 Suggestion from Power Users: 开发一个完美的产品软硬件的协调非常重要，消费者期待的是一个个人化又别具创新的产品。我们期待SONY和Martian智能手表的表面能有更多的待机画面可以选择；采取电子书表面的Pebble则建议增加LED灯辅助，才能在灯光暗的地方使用。从智能型手机上安装APP时应该要简化一切程序，并尽量用简单的图标一步步引导用户，避免过多的文字和复杂的接口。为了考虑防水的设计，SONY和Martian都在充电孔上装置了盖子，但这也导致Martian的智能手表在充电时，充电盖会卡在调时间的旋转钮上，容易折断，而这些小细节都会影响使用者的使用观感。除此之外，我们建议智能手表能够提供导航功能，并结合运动手环，增加健康管理的功能，更有效地发挥蓝牙4.0 Low Energy的使用优势。 图三： Pebble Smart Watch 位于侧边特殊设计的金属感应式充电接口方便使用者进行充电， 但也增加短路的机会 目前消费者主要还在观望是否下手购买智能手表的原因，主要来自产品设计不佳、价格过高、缺乏创新功能以及电池续航力差。此外市面上针对智能手表所开发的APP数量不足，更造成消费者望之却步。本次的评比可以发现智能手表目前普遍存在兼容性问题，因此厂商需要把智能手表和其他装置的互用互操作性列为第一优先，进而能开发更多进阶功能。百佳泰的专业BQE预测智能手表如果要有革命性的创新，可能会走向例如：提供健康监控或照护功能或是搭载Fitness Sensor，结合蓝牙4.0 Low Energy技术，利用手腕和手表如影随形的优点提供智能手机更多的延伸服务。百佳泰身为专业的测试实验室，能够同时一站到位提供蓝牙与触控功能的测试认证，此外亦能提供每季最新的各种手持装置进行兼容性测试，并协助厂商进行不同产品的竞争力分析（Competitive Analysis），了解自家产品的优缺点，能实时发觉错误并找出可能肇因，进而除错提出解决方案。