Sign up to our newsletter
Last week’s Apple Watch launch has put the spotlight back on the ‘smart’ inter-connected watches that are expected to change how we interact with each other and the internet. But how secure are they?
Despite the buzz around the Apple Watch, which launches in the US on April 24, the smartwatch boom has been some time coming. The first models date back to the 20th century but it wasn’t until late 2013 that smartwatches caught the eye of hardware manufacturers and the public alike.
Pebble kick-started the trend before Samsung, Sony, Motorola and others arrived on the scene, promising smartwatches offering a glance-like view of your notifications, an ability to quickly send and view messages, make calls, control music and even monitor your fitness.
These are the wearable computers of the future, and they’re here today, but there are still some security concerns.
Another target for attackers
Wearables, including smartwatches, represent another attack target for the cybercriminals who are currently enjoying the opportunities presented by mobile devices.
Over the last year, there has been almost a two-fold rise in Android malware and iOS attacks and vulnerabilities, while attackers have more recently sought to compromise internet-connected sensors. One proof-of-concept attack late last year showed that white-hat hackers could compromise the Google Nest internet-connected thermostat in 15 seconds.
An attack has also been demonstrated where attackers could compromise a Samsung Gear Live smartwatch paired with Google Nexus 4, and expose plaintext conversations, after a brute force attack on Bluetooth passcodes.
It is early days, and as such in the wild attacks are few and far between, but you can be sure attackers will see smartwatches as another door to stealing data, money and even identities – especially when so many breaches owe to poor patch management, vulnerable third-party apps and company insiders.
Bring Your Own Device
Enterprise IT security teams are still reeling from the Bring Your Own Device (BYOD) trend, where employees are choosing to use their own iPhones, iPads and Android smartphones for work. A number of firms still don’t have adequate policies, controls or even the right technology.
That could continue with smartwatches. Earlier this year, in a survey of more than 1,000 employees from 100 organizations, Accellion found that over half (53 percent) of IT decision makers are yet to consider the possible impact of wearable technology on data security, despite 81 percent acknowledging that increase in wearable devices will pose a security risk.
What’s more less than a half (41 percent) believe they currently have a BYOD policy in place that can be extended to wearables, while an alarming 77 percent don’t consider wearable technology as part of their broader mobile security strategy.
Security risks might usurp those of privacy, but that could change in future as these devices gain extra controls to take photographs, record audio and video. Samsung’s Galaxy Gear Live can already record audio and video clips, and there are numerous apps on Android Wear store promising to do the same.
As a result, there could be concerns on data leakage, data loss and industrial espionage – especially if a disgruntled employee happens to be wearing a smartwatch.
The UK has both the Data Protection Act and the CCTV Code of Practice to refer to when considering this, but information security professionals urge companies to enforce sensible guidelines around the use of wearables like smartwatches in the workplace.
But all is not lost
The good news is that, despite the concerns, hardware manufacturers have made a strong start.
The Apple Watch for example, like all iOS devices, has an opt-in password which requires users to enter this each time they put the Apple Watch back on their wrist. The sensors in the watch will therefore tell if someone is wearing it. Crucially, the password becomes mandatory if Apple Pay is set-up on the Apple Watch, while Pay accounts can be deactivated remotely via iCloud.
In short, this means that, if you did lose your iWatch, someone wouldn’t instantly be able to go shopping on your dime.
The other standard security features are also relatively up to task. Bluetooth, the low-energy technology used to pair most smartwatches with users’ phones, is not often targeted (although, as proven above, could be open to brute force attacks) while both Android Wear and WatchOS are based heavily on the Android and iOS mobile operating systems that have made huge strides on security over the last year, especially on end-to-end encryption and authentication.
Even the third-party apps that go through the app stores have greatly improved, with Apple and Google vetting for malware more so now than ever before.
These are early days for the smartwatch, as illustrated by the excitement and nervousness. On the security front, experts believe that encrypting data passing over Bluetooth, containerizing corporate data – as seen on Samsung’s Knox – and enforcing better policy control will help security going forward. But only time will tell if smartwatch security becomes serious business or a serious afterthought.
Hadrian / Shutterstock.com
Author Karl Thomas, ESET