Smart devices largely use the same operating system as their smartphone counterparts. This is the case with Android devices. When we talk about smart devices and Android, we’re talking about a mature platform in terms of malware.
“By the end of 2014, we crossed the 3 million mark for cases of new Android malware. It took Windows something like 15-years to hit the 1 million mark for malware. So Android is as viable a platform for malware as Windows,” says Christopher Budd, Global Communications Manager, Trend Micro.
Smart devices are increasingly the new weak link in the cyber kill chain, at least at the reconnaissance level, if not further into the enterprise. CSO examines the vulnerabilities, threats, and proactive enterprise security measures.
Smart device / Bluetooth security issues
Bluetooth-connected smart devices such as smart watches and health monitoring bracelets are new endpoints that the enterprise is not monitoring, says Domingo Guerra, co-founder, Appthority. The enterprise is not protecting these devices behind corporate firewalls or defending against data leakage through them. “Data leakage services that are present in the enterprise are doing nothing over Bluetooth or on these devices,” says Guerra.
CSO's 2015 Mobile Security Survival Guide
Christopher Budd, Global Communications Manager, Trend Micro
“We’re going to have to start looking into watches and other wearables as they come into the enterprise because they represent another interface for the user to access data. We don’t know who or what else can access that data from that device,” says Guerra. Whether a smart device containing email and other data is lost or stolen or is engaged by an attacker via software, this is one more place sensitive data is found, adding more of a footprint for hackers to attack to gain a foothold, eventually into corporate data stores.
From the mobile device perspective, BYOD solutions don’t typically prevent employees from forwarding sensitive data in attachments from their work email inside the secure container to personal email outside the container. If a user reads their email on their watch, there is little to keep malware that transfers to the watch from accessing it.
[ Location tracking in mobile apps is putting users at risk ]
With Bluetooth, the biggest threat is not the encryption or lack thereof between Bluetooth-enabled smart devices and smartphones. It’s that Bluetooth devices come hardcoded with the same pin, which is 0000. “It’s not hard to use that weakness to create bad pairings,” says Budd.
Bluetooth as a service runs on a phone in the operating system context. In terms of data access, if someone’s able to infiltrate through Bluetooth then they can potentially have access to your phone at the operating system level. “They can access whatever’s on the phone,” says Budd.
Smart device attacks / security & privacy concerns
Hackers are already using smart devices to aid attacks. “The Nike FuelBand was publishing people’s names and locations on the web. If I have a list of all of the people that use Nike FuelBand in Silicon Valley, I can data mine that and correlate that with LinkedIn to show me all the executives that are from the Bay Area that are doing these runs,” says Guerra. Then with the locations of the runs and the executives’ locations, an attacker can determine perhaps a coffee shop nearby that they frequent, go to the coffee shop, and use packet sniffing or packet capturing there.
It’s not an attack that happens through the wearable itself. The wearable makes it easier for someone who is trying to target a certain company. The attacker can wait for them to work from the coffee shop and then just read all the data that’s going through the unsecured Wi-Fi, or they can try to steal the device to get what’s on it.