Jahmel Harris, Security Consultant
10 mins read
Android Wear devices ship with a version of Android designed for the watch form factor, and Apple has created watchOS for their line of smart watches which can introduce new security vulnerabilities on top of vulnerabilities found in Android and iOS. As these devices become more "cloud" accessible, we need to be aware of where our sensitive data is being sent and stored as well as consider what the impact would be if these devices would be breached by hackers. Sensitive data such as passwords and images are now being sent to online services without users being necessarily aware of it.
In addition to the obvious security concerns, there may be others that have not been considered. For example, these devices will use Bluetooth or Bluetooth Low Energy to communicate meaning we now require our smart phones to have Bluetooth on permanently which may increase the attack surface of our devices. If the Bluetooth link is broken by hackers, it may be possible for sensitive notifications to be read and it is also not well known where notifications may be logged during normal operation. Research performed by MWR InfoSecurity showed it was possible to recover the plain text messages sent over Bluetooth with physical access.
Although many security protections exist in many smart watches (e.g. Android Wear uses the Android permission model to protect users) as smart watches do use full Operating Systems and many software stacks, there is always risk involved as the software can be large and complex. As more devices are used for mobile banking, hackers may start to target mobile devices (including smart watches and smart phones) as they become more a more lucrative target. Each platform will introduce its own set of security features, but ultimately, it is hard to say which is the most secure platform. Currently watchOS only allows screens to be drawn on the watch, meaning it is less likely to run malicious code; however, this does make it harder for developers to write secure software specifically for the platform. On the other hand, Android Wear allows apps to be installed on smart watches, which means app developers are free to add further protections (such as additional encryption) although this may increase the risk of malware being installed.
As smart watches are designed more for viewing data/notification, the way they are used can make them slightly less vulnerable to theft than smart phones. Developers are encouraged to store data on the smart phone and transmit data to the smart watch which limits the data that can be stolen. As smart watches start to take advantage of WiFi/Mobile Networks to increase the distance between the smart phone and smart watch, it may be that a stolen device could lead to leaked data as users are not yet used to the idea of setting a lock screen. Android Wear allows users with devices that can connect to WiFi networks the ability to remotely revoke them from a network, however this does not wipe all data from the device.
Currently we are not yet seeing many attacks on smart watches, however we expect this may increase as more users move to using these devices for payments. Both Google and Apple have gone to great lengths to protect against the type of attacks which will allow malware to spread from watch to phone, however it is important to be vigilant of how these devices are used. Although in theory, it would not be possible to perform an attack from a smart watch that couldn't also be performed from a phone, the change in form factor may lead to extra avenues as these devices may be more trusted. For example, locations which have banned smart phones may not yet have applied the same bans to smart watches which could be used to exfiltrate data or attack networks. Applications could also be installed covertly on some smart watches which behaves differently to the software running on phones, making it more challenging for security researchers to analyse malware.
The protection of data from shoulder surfing should definitely be considered. Locking a phone can stop an attacker from reading messages, however unless a lock is set on the watch, a casual glance can reveal a lot of potentially sensitive information. Without a lock screen, physical access would allow an attacker to change setting, putting data further at risk.
In a workplace environment, especially those that employ BYOD, people should consider what could happen if a smart watch is lost or stolen. If previous notifications can be revealed by an attacker, it may be possible for an unauthorised user to view data they shouldn't.
The same protections should be applied to both smart phones and smart watches where appropriate. In the case of Android Wear, devices should be encrypted and a lock screen should be enabled. With Lollipop, Android Wear is now shipped with keyguard, the same lock screen used by Android.
Care should made not to view sensitive information in public places and users should consider who has physical access to these devices just as they would with smart watches.
One thing we've seen is that developers are often not aware of the changes that have been made to the smart phones that allow them to communicate with their respective smart watches. Android Wear requires developers to create a service in their application, effectively creating an "opening" which is required to communicate data between Android and Android Wear. Although in theory, this service can only be used by Android Wear, some research performed by MWR has shown that it is possible to communicate with this service from a rooted wearable (or vice versa).
As a weakness in one may put the other at risk it is particularly important that security controls such as root detection, obfuscation, and integrity checking are performed on both the applications written for Android Wear and Android.
In the case of Apple Watch, MWR have seen developers weakening the security of the iOS application in order to allow sensitive information to be passed to the smart watch.
Currently, few Mobile Device Management (MDM) systems offer support for smart watches so it may be more appropriate to disable their use in corporate environments. As these smart watches become more "phone like" it may be possible to leverage current BYOD infrastructure to allow the use of these devices, but there may always be an element of risk until the use of smart watches is wide spread.
Some high security areas should consider the possibility of restricting all technical devices, including the watch, as in the future we may start to see more smart gadgets (the NFC ring is already being discussed).