With wearable technology sure to top many Christmas lists this year, Owen Evans, Security Consultant, MWR InfoSecurity, gives his advice and considerations people will have to make when it comes to security:
“The initial concern regarding the security of wearable devices stems from the technologies in place that allow devices to communicate, which in most cases is Bluetooth. Bluetooth Low Energy is often used to connect smart devices; however, despite the presence of in-built security features, a number of issues have previously been identified and published. In 2013, Mike Ryan demonstrated that it was possible to crack the Bluetooth encryption in order to view data sent over the radio link.[1] Developers need to be aware that using a radio link provides the threat of a new remote attack vector.
“Additionally, many common devices do not offer the facility to perform message level encryption on data sent via the Bluetooth link. This means that with most wearable devices, it is down to the individual application developer to implement some form of data encryption. Historically, non-standard implementations of cryptography or custom crypto solutions have been the source of many security vulnerabilities.
“Regarding the storage of data, the idea behind wearables is generally not to store data on-device, but rather to fetch and return with a paired smartphone (or similar device). However, some wearables such as Android Wear watches do possess the ability to store data if an application developer chooses to do so. In this case, the same security concerns as are relevant with smartphones also apply here, and strong encryption should be used on all sensitive information stored on-device. A potential lack of usable security features could, however, lead to the compromise of such stored data, a prime example being the omission of a lock screen on android wear devices, stripping a security control from the lost/stolen device attack vector.
“As with Smart Phones, adoption of wearables will see them appearing in the workplace. Limitations of wearables (for example the lack of disk encryption or a lock screen) may mean data is put at a higher risk than initially realised. MDM solutions currently exist to secure phones in a BYOD environment, but so far we've not seen the same for wearables.
“Google Glass particularly presents an issue regarding privacy and usage in the workplace, as the permanent presence of a ready-to-shoot camera could allow the recording of private or sensitive information at any time. Google glass allows always-on recording and Android smart watches require a connection to Google for a large amount of their functionality. Using many of the techniques used to infect smart phones with malware, it is feasible that an attacker could potentially gain access to your wearable device in order to monitor activity within private or secure environments.”