Analysis of Access Control Mechanisms for Smart Watches in Compliance with EN 18031 Standards

Analysis of Access Control Mechanisms for Smart Watches in Compliance with EN 18031 Standards

In the era of rapid development in information technology, smart watches have become a typical representative of the wave of intelligence. Traditional watches are limited to basic services such as time display and timing, while smart watches not only retain core functions but also expand into health features such as heart rate monitoring and exercise data recording, as well as integrating advanced functions involving a large amount of sensitive data, such as smart payments and calls, significantly increasing reliance on user privacy data.

Within the privacy and cybersecurity standards framework, the EN 18031 standard holds significant guiding importance, consisting of two core parts: EN 18031-1 focuses on network security protection applicable to all connected devices; EN 18031-2 emphasizes personal privacy protection, targeting child care devices and wearable wireless devices. Since smart watches possess both connected and wearable attributes, they must meet the requirements of both parts. This chapter analyzes compliance with the standard from the perspective of access control mechanisms.

1. Applicability Determination of Access Control Mechanisms for Smart Watches

From the perspective of asset types, the security assets of smart watches encompass device operating system permissions, network connection configurations, payment key storage modules, etc.; privacy assets include health data such as user heart rate and sleep cycles, as well as sensitive information like call records, location information, and payment transaction records.

In public access scenarios, only clearly advertised public functions such as “time display” and “basic exercise data sharing” can be exempted from access control; however, privacy assets such as health data and location information, even if shared with user authorization, still require access control to limit the scope, which aligns closely with the enhanced requirements for privacy protection in wearable devices outlined in EN 18031-2.

Although smart watches are wearable devices, they can connect to networks via Bluetooth, WiFi, mobile data, etc., breaking spatial limitations. Their intelligent functions have approached those of smartphones, involving a large amount of personal data. If a device with payment functionality lacks access control, losing it could lead to financial losses. Therefore, it is necessary to supplement logical controls such as lock screen passwords and application permission levels, for example, the “wrist recognition unlock” function, which automatically locks the device when it is removed from the wrist. This essentially enhances logical access control through environmental awareness, complying with ACM-1’s extended requirements for “expected operational environment measures.”

Analysis of Access Control Mechanisms for Smart Watches in Compliance with EN 18031 Standards

2. Scenario-Based Design of Access Control Mechanisms for Smart Watches

The EN 18031-2 standard specifies scenario-based access control mechanisms for child care devices and wearable wireless devices, with the core principle being “default restrictions + parental control,” specifically reflected in three aspects:

(1) Default restrictions on external content access

ACM-3 requires that privacy functions of children’s toy devices only allow access to authorized entity content by default. The “call” and “social functions” of children’s smart watches must strictly adhere to this. For example, a certain brand of children’s watch only allows calls to/from numbers on a “parent preset contact list” by default, prohibiting calls from unknown numbers; built-in social functions must be reviewed by a parent app before accepting friend requests, and content must undergo keyword filtering before being sent, ensuring that children only interact with content from authorized entities. Additionally, the device must log all external content access for parental review, complying with ACM-3’s implicit requirement for “content traceability.”

(2) Restrictions on third-party access to children’s privacy assets

ACM-4 clearly states that children’s privacy assets are only allowed to be accessed by the child or their parents by default, with third-party access limited to what is “necessary for the device’s expected functionality.” The location and health data of children’s watches are core sensitive assets for third-party access. For instance, to access location data via vendor cloud services for “real-time positioning,” three controls must be in place to ensure compliance: first, third-party data sharing must be disabled by default, requiring parental manual authorization in the app with a clear scope; second, third parties can only access “anonymized location data”; third, parents must receive quarterly reports on third-party data access, detailing frequency and purpose to avoid exceeding expected limits. Typically, privacy policies must disclose how third-party data is processed, covering the scope of personal information collection, usage purposes, and sharing circumstances.

(3) Parental configuration and control of children’s access permissions

ACM-5 and ACM-6 require parents to limit children’s access to their own assets and restrict other entities’ access to children’s assets, respectively. These two requirements are concentrated in the “parent control center” function of children’s watches. From ACM-5’s perspective, parents can disable “game functions” and “payment functions” through the app, limiting children’s access to entertainment assets, and can also set “usage time limits” to prevent inappropriate use; from ACM-6’s perspective, parents can refuse third-party access requests to children’s location and health data, revoke previously granted permissions at any time, and any changes in permissions must be verified by parental identity to ensure the security of configuration modifications.

Analysis of Access Control Mechanisms for Smart Watches in Compliance with EN 18031 Standards

3. Existing Challenges and Optimization Directions

Currently, the access control mechanisms for smart watches face two major issues: first, the “permission synchronization issue in multi-device interaction scenarios,” where permission changes on adult watches and mobile apps may not synchronize, potentially leading to unauthorized access in the short term; second, the “complexity of parental control” for children’s watches, where some products have cumbersome permission configuration processes, making it easy for parents to overlook critical settings. As smart technology continues to develop, security standards must be continuously iterated and upgraded.

In summary, the access control mechanisms for smart watches must be framed by EN 18031, designed in conjunction with device types and scenarios, closely adhering to the core of privacy protection, especially for children’s models, which need to strengthen “default restrictions + parental control” to meet standard requirements and ensure user data security.

···Analysis of Access Control Mechanisms for Smart Watches in Compliance with EN 18031 StandardsExploration · Focus · Leading

Craftsmanship from start to finish, the path of exploration is unwavering

Leave a Comment