From Google Glass to Apple Watch, wearable tech brings new danger to mobile computing
Wearable technology such as smartwatches including the new Apple Watch, and electronic devices like Google Glass, are bringing new security risks to the fore of mobile computing that their owners will have to address, warned IT security company Kaspersky Lab.
On smartwatches and security, Dmitry Bestuzhev, director of Kaspersky Lab's global research and analysis team in Latin America, noted: 'The day smartwatches become as popular as smartphones, cybercriminals will launch attacks against them too. Meanwhile, at least for now, the number of smartwatch establishments accepting payment by these means is very low, therefore, there is a minimal number of attacks. When they become widely available, cybercriminals will be prepared.'
Meanwhile, Kaspersky Lab researchers, Roberto Martinez and Juan Andres Guerrero, recently looked at Google Glass and Samsung Galaxy Gear 2 to explore how these devices could affect people's privacy and security.
There are two ways to surf the Web from Google Glass: through Bluetooth by pairing with a mobile device that shares its data network connection; or directly through Wi-Fi. The latter gives the user more freedom since it does not require a separate mobile device in order to get to the Web. However, according to Martinez, this functionality also means that the Glass is exposed to network vector attacks, particularly MiTM when a communication between two systems can be intercepted.
This was discovered in an experiment conducted by the researchers. They attached the device to a monitored network and checked the data it transmitted. The results of the captured data analysis showed that not all the traffic exchanged between the device and the hot spot was encrypted, so in this case, it was possible to find out that the attacked user was looking for airlines, hotels and tourist destinations. In other words, it was possible to perform a profiling task, a simple form of surveillance.
'We admit that it is not a very damaging vulnerability, but even so, profiling via meta data from web traffic exchange could become the first step of a more complex attack against the device's owner,' said Martinez, who performed the investigation.
As Guerrero discovered when he examined the Samsung Galaxy Gear 2, the device is deliberately designed to make a loud noise and warn people nearby if it is being used to take a photo.A deeper look into the software of Galaxy Gear 2 revealed that after rooting the device and using Samsung's publicly available proprietary software tool ODIN, it is possible to enable Galaxy Gear 2 to take pictures with its embedded camera silently. This obviously opens the door to possible scenarios in which Galaxy Gear 2 could violate other people's privacy.
Silencing the camera is not the only way to turn a device into a spying tool. Dedicated apps for Galaxy Gear 2 are loaded onto the device with help of Gear Manager, a special app by Samsung designed to transmit an app from the smartphone to the smartwatch. As Guerrero discovered, when an app is installed on the smartwatch's operating system there is no notification shown on the watch display. This makes targeted attacks involving silent app installation possible.
'At this time there is no evidence to suggest that wearables are currently being targeted by professional APT actors,' commented Guerrero. 'However there is a twofold appeal presented by wearables that make them a likely future target if they are widely adopted by consumers. In future the data collected by wearable devices is going to attract new players to the cyber-espionage scene.'
Apple's announcement of its new mobile payments service, Apple Pay, utilising near field communications (NFC), opens up a host of vulnerabilities in both the new iPhone 6 and iPhone 6 Plus, as well as the Apple Watch, Bestuzhev commented.
Referring to Apple Pay, Bestuzhev stated: 'It's important to note that any system is potentially vulnerable, and this usually happens when the value is high and effort needed to hack is low. Unfortunately iTunes account credentials have been readily available on the black market for a while meaning cybercriminals are able to easily access them. As the accounts store the main user's payment information, it is likely that cybercriminals will improve their tactics to steal such credentials. Many Apple customers also use a Windows-based machine while working with their devices and accounts, which can leave them open to attack, even if Apple's technology is secured, the password can be leaked if a user's Windows machine is compromised.'
Bestuzhev added that Apple's use of a PIN to access payment is another source of vulnerability: 'Another important point to consider is that the Touch ID doesn't always work properly, for example, if your fingers are wet, which is why Apple also allows customers to input a PIN. However, this shortcut scheme can abused by cybercriminals while authorising payments. In addition, a further vulnerable point lies in the network layer, within the Network File Copy, which can be intercepted at the end of the payment process.'