Holy sweat! Wearables have THREE attack surfaces
The device, the app and the cloud, and your development lifecycle isn’t fit enough to catch up
Black Hat Asia Wearable devices – and anything that relies on an app to help with configuration – has at least three attack surfaces and your existing secure development lifecycle probably isn’t going to cope with the complexity that creates.
So said Kavya Racharla, a security research manager for Intel’s Sports Group, and Deep Armor founder and CEO Sumanth Naropanth at the Black Hat Asia conference in Singapore today.
The pair explained that a typical wearable is developed in a hurry – often six months from conception to shipping – which doesn’t leave much time to consider all the possible security SNAFUs.
Wearables themselves have predictable security requirements: they’re computers with storage and a networking connection. But because wearables are for personal use, they can also leak personal data. Racharla said her research has revealed wearables that store the text used for voice prompts in plaintext. If that same file also stores a user’s name, that’s in plaintext too.
Wearables are now a two-horse race and Google lost very badlyREAD MORE
Matters are further complicated by the fact that a wearable will often share data with several smartphone apps. One might record data, another control music, while a third sends TXT messages to the app. But the pair explained that Bluetooth shares its signal with all apps on a mobile device, creating potential leakage of personal information intended for consumption by an exercise-tracker into other apps or for malware dedicated to slurping the Bluetooth feed from a wearable device. Such concerns also assume that developers applied proper encryption to the wearable-to-smartphone link and implemented Bluetooth correctly. One slip and … you get the rest.
And then there’s the cloud, where many wearables store data and analyse it so that users [wearers – Ed] can get a picture of their performance. Mistakes as simple as a misconfigured AWS S3 bucket can cause trouble, while a simple XSS attack could expose personal data and even identify an individual wearable device.
To make life even more complicated Naropanth said he knows of circumstances in which a single wearable device has been rebranded by multiple companies, but all data resides in a single database. Under such conditions, developers need to exercise caution so that Nike customers remain separated from Adidas customers, to use Naropanth’s hypothetical example of the risks in play.
Racharla and Naropanth therefore advanced the idea of extensions to common secure development lifecycles to take into account the fast development cycles wearables demand. The pair recommended a development methodology that adds distinct lifecycles for security and privacy, plus the creation of an incident response plan should a wearable be found to be leaking data. That plan means that legal teams will need to be deeply involved in wearable product development.
The pair added that the issues they’ve described aren’t unique to wearables: plenty of industrial devices are now provisioned with a smartphone app, then talk to a local gateway or directly to a multi-tenanted cloud service. Those devices have three attack surfaces, too. And as we all saw when the Mirai botnet sprang up in video cameras, all an attacker needs is one to do bad work. ®