Posted on:August 14, 2014 at 1:34 pm Posted in:Internet of Things Author: Leo Balante (Technical Communications)
Sartorial decisions and technology are often considered two separate, distinct items. However, the surge of wearable “smart” devices has blurred the line between the two. Nowadays, it is common to see people accessorized in pieces of equipment that complement their day-to-day activities.
Some might assume that wearable smart devices are complicated futuristic gadgets. However, they might be surprised to find that a lot of people now own one or two of these devices; smartwatches and fitness trackers are prime examples these..
According to Senior Threat Researcher David Sancho, wearable devices can be classified under three categories, depending on how they deal with data.
“IN” devices – These capture user data via sensors. Fitness trackers are a good example. These capture the number of steps a user has undertaken, distance walked, calorie intake, heartbeat, GPS coordinates, etc. These devices usually store the information locally in the device and synchronize with mobile devices or computers.
“OUT” devices – These display data from other gadgets, often from mobile devices. Smartwatches are an example, with their capacity to display texts and other application data.
“IN and OUT” devices – These capture data and use filters to display information in different manners. Display devices, such as Google Glass, are not only capable of capturing data, but they also feed the data to the user by means of retina projection. Simpler devices can also become “IN and OUT” devices by gathering user data (steps, distance, etc.) and by streaming it from their companion mobile phone. According to a study, 82% of wearable tech users believe that their quality of living significantly improved with the use of smart devices. And yet, wearable devices can also be a bane. Past examples show that the “smarter” a device has become, the greater the opportunities cybercriminals have on their hands.
For example, if bad guys manage to compromise the hardware or network protocol of a wearable device, they would gain access to the data stored there and have control of the content being displayed by “OUT” devices. Attackers can also access the user accounts associated with the devices and can abuse the data gathered there.
Wearables also bring in the issue of privacy and permission. For example, you might not think too much of your smart glasses recording your everyday commute, but the people you run into might find that feature too intrusive. (This scenario might be one of the reasons Google published a Glass etiquette guide that includes the rule, “Ask for permission.”)
Just like any form of technology, wearables can bring about improvement and enjoyment. However, having wearables doesn’t just mean knowing how to use them; it also means knowing how to secure them. Users should know the ins and outs of their devices, considering most wearable devices are some form of “IN and OUT” devices. Learn more about wearable smart devices in our infographic, The Ins and Outs of Wearable Devices.
Posted on:August 15, 2014 Posted in:Current News, Industry News Posted by: Trend Micro
What's the next frontier in consumer gadgetry? Many of the biggest technological advances of the past 30 years have been in software – think Microsoft Windows commodifying IBM PCs, or Android and iOS displacing bare-bones feature phone operating systems throughout the developed world. Nevertheless, end users and journalists alike clamor for new hardware, and that means something that isn't a PC, smartphone or tablet.
There are plenty of candidates (some of them, like Google Glass, have so far failed to catch on), but the smartwatch is definitely one of the most talked about post-smartphone form factors. Google's nascent Android Wear program already has a few manufacturers on board, while Apple may be working on similar, albeit likely more vertically integrated, products for release later this year.
It would be surprising if the smartwatch market were ever close to the size of the one for smartphones. Even as a fringe gadget, though, the smartwatch could have implications for cybersecurity, as an endpoint within the emerging Internet of Everything. Compared to IoE sensors in trash cans or lampposts, smartwatches are much closer to end-users, making them ideal conduits for surveillance as well as malware distribution.
In a monthly security review document published in October 2013, Trend Micro researchers cited "new devices like smartwatches and new OS versions like [Android] KitKat" as potential enablers of the long-term rise in mobile malware. At the time, the firm had recorded more than 1 million malicious and risky Android apps, ahead of its projections that such a number wouldn't be reached until the end of the year.
Smartwatches typically have far fewer features and applications than other mobile devices, but they can still become security and privacy liabilities for several reasons:
The small size of smartwatches means that they usually don't have their own cellular or Wi-Fi radios. Instead, they rely on Bluetooth to communicate with the user's smartphone, which runs more or less the same OS as the watch. Accordingly, a large number of threats can already address smartwatches by way of Android.
Smartwatches and similar wearables, such as health-tracking wristbands, contain many sensors- accelerometers, gyroscopes and motion detectors – for quantifying the user's activities (i.e., number of steps taken or calories burned). As discussed above, this information is wirelessly transmitted back to the smartphone, but often in plaintext. Someone using a Bluetooth scanner could probably intercept it without touching any of the user's devices.
Although some smartwatches feature iris scanners for secure biometric authentication, passwords may also be entered via the device's touchscreen. At the 2014 Black Hat conference, one researcher demonstrated how it was possible to lift passwords from a smartwatch or smartphone by monitoring its user with a camcorder or heads-us display like Google Glass. Similarly, the unique identification codes used by many IoE endpoints makes it easier to track them than smartphones.
Overall, smartwatches have not been implicated in any breakthrough vulnerabilities or major incidents yet, but they have not been hardened against common cyberattack techniques, either. Their connections to Android (and soon perhaps iOS) and a propensity to leak information via Bluetooth and large, bright displays means that they should be taken seriously as endpoint security risks.
The IoE may someday encompass billions of IP-enabled devices, many of them out of sight, such as sensors embedded in automobiles, kitchen appliances and home security systems, all of which communicate with the cloud much like a PC or smartphone does today. In contrast, smartwatches and devices such as the Nest Thermostat are akin to the front-end of the IoE – non-traditional computers that collect information directly from users and then relay it to the rest of the IoE.
Lest someone think that a smartwatch is just a dumb terminal, many of the early Android Wear designs, such as the LG G Watch, can access an impressive suite of Google services, including Google Now, Gmail and Hangouts. Plus, the LG model has 512 MB RAM, putting it on par with 2011's iPhone 4S in that respect. While smartwatches will always constitute a small sliver of the IoE, the industry behind them was worth $700 million in 2013 and could top $2.5 billion in 2013, with Samsung leading the way among manufacturers early on.
The ingredients – capable technology, support from well known OEMs and a new hardware form factor – are there for a major boost to the wearables market from smartwatches. So what are the risks? The aforementioned vulnerabilities, such as plaintext data transmission, may be one of surfaces that cybercriminals go after as they look for ways to manipulate this new class of technology.
"[T]here's the huge security question of what the security implications of connecting these kinds of devices to the Internet will be," wrote Christopher Budd of Trend Micro in a January 2014 blog post. "Every time we connect a new class of device to the Internet we learn the hard way how they can be attacked and subverted."
Certainly, many of the issues that first made PC security a necessity – e.g., malware delivered via compromised websites, vulnerabilities due to outdated/unsupported software – did not go away in the transition to mobile. Will they persist as computing is extended to a wider range of devices?
There's cause for optimism with smartwatches and other wearables, since they biometric data they can so easily collect could be used for multi-factor authentication that is safer than password-based mechanisms. But this contribution to security shouldn't mask the risks associated with extending IP connectivity to more endpoints than ever before.
The smartwatch market is still in its infancy, so there's time to get out ahead of security issues. Privacy and data protections should be front and center concerns for enterprises, consumers and device manufacturers as new devices loom.
Android hardware faults could create data protection challenges
CES: Things to think about with Smartwatches
Shifting mobile trends present security issues
Big data, wearable devices create anxiety about storage practices