Same Security Threats, Different Devices: Wearables and Watchables

September 15, 2014

The word “wearable” was once merely an adjective describing an article of clothing that was easy to wear. Now “wearable” refers to a mobile device that users wear on their body, and this latter wearable was a major topic of discussion last week.

Who-is-looking-thru-the-Google-Glass

The reason for this topicality is, like last September and the September before that and so on and so forth since the dawn of iPhone, Apple held one of its special look-at-all-of-our-new-things event. This year, the centerpiece of that event was perhaps the most eagerly anticipated wearable since Google Glass: the Apple Watch.

My colleague Alex Savitsky did a nice job of summing up the types of people that anticipate these devices in his analysis of security in Apple’s new payment platform, but I’d like to revise his three types to these four: the people who stubbornly refuse to buy Apple products as if they were slighted by the late Steve Jobs himself, the people who tweet and blog sardonically about how Apple is the worst from their beloved Macbook Pro with retina display, the people who would buy dirt from Apple and troll your comment section for days if you suggested that Apple’s iDirt is just sort of the same as regular dirt and, finally, people who are just generally excited about a new product with all sorts of interesting uses.

To steal another colleague’s words, this time Peter Beardmore, and use them in a totally different context, the “premium” users pay for all of these flavor-of-the-week products, whether it’s the Apple Watch, Google Glass or a dishwasher that asks you about your day and actually listens when you launch into a diatribe about how no one at work appreciates you, is almost never based on security.

Being based on Android, Glass could inherit known vulnerabilities found in other devices with the same OS

Here’s the problem: innovative devices face traditional threats and are, sometimes, more susceptible to them. Perhaps even worse yet, in time, innovative devices will face innovative threats. And Apple Watch, as its rather Orwellian name suggests, will do just that. It and all the other wearables will watch what you do, gathering information about you and shipping it off to any number of third parties.

Roberto Martinez, a security and malware analysts on Kaspersky Lab’s Global Research and Analysis Team, struck at the core of this issue in a recent Securelist article, examining the peaks and pitfalls of Google Glass.

“New and existing devices have many things in common: they use the same protocols and are interconnected with other devices using similar applications. There is no way around this. Traditional attack vectors are mainly against the network layer in the form of Man-in-The-Middle (MiTM), the exploitation of some vulnerability in the operating system, or the applications themselves. Being based on Android, Glass could inherit known vulnerabilities found in other devices with the same OS.”

Martinez goes on to describe an incredibly simple attack, uncovered initially by the mobile security firm, Lookout. One way Google Glass is tuned to connect to the Internet is through viewing QR codes generated by a special mobile app. When Google Glass sees these codes, it will connect automatically. So, all Lookout had to do was create its own QR code, compel Google Glass to view it, and now the device is paired to a wireless network under the control of a potentially malicious party. This is a perfect example of an old threat (malicious QR codes) works affectively against a new device.

“A source of potential risks is that unlike a computer or a mobile device, the Glass interface is navigated through ‘cards’ to scroll through the different applications and settings thus limiting configuration options and in some cases automating certain procedures and functions with little input from the user, as in the case of connecting to a network or sharing information,” Martinez explains. “This automation opens the door for exploitation by attackers and the compromise of user privacy.”

In a more technical attack in a lab setting, Martinez used a tool to trick a Google Glass device into connecting to a malicious network when it thought it was connecting to a legitimate one. This, he claims, could have implications if a Google Glass user were attempting to connect to a public Wi-Fi port.

In their test, while they acknowledged that a lot of their target’s browsing behavior, like Google searches and other web surfing, was encrypted after they captured it, a decent amount of data came through in plain text.

“We found enough information in plain text to correlate and piece together the user’s navigation to airlines, hotels, and touristic destination sites and how and where the device was connected. Nothing too sensitive but in some cases useful for when carrying out a profiling job.”

In the end, Martinez noted, security must be considered as a layered approach. Every layer needs to be considered and secured in order to protect user-data.

“In this case, the network layer could be exposed since the device can connect to public networks but lacks the option for VPN connections thus insuring traffic can be captured and analyzed,” he reasoned.

“In coming months, we’ll see wearable devices becoming the next attack targets, highlighting the need to pay special attention to these devices, their capabilities, and the information they handle.”