With Apple's Watch looming, is it time firms faced up to wearable security?

Companies are already seeing wearables around the workplace but it seems many haven't considered the wave of adoption that could be imminent — and the privacy and security issues it will raise.
Written by Toby Wolpe, Contributor

Given figures suggesting Apple could have shipped over 47 million Watches by the end of 2016, some firms seem remarkably relaxed about the potential impact of wearables on staff privacy and corporate security.

Some 64 percent of companies are not concerned by the proliferation of wearables, half of them think there's no need to introduce limitations on data captured by wearables, and 15 percent see no security issues at all, according to research from Trend Micro.

"Sooner or later, almost everybody will have these devices and if we haven't talked about these implications, if we haven't thought about it, it will be too late," Trend Micro CTO Raimund Genes told a London roundtable event this week.

"We saw this with bring your own device, which for a few companies has been bring your own disaster. We saw it with the internet. The internet was never designed with safety in mind, and when I look at all the new battery-optimised communications protocols, nobody has designed in any security."

Communications over battery-optimised communication technologies, such as Bluetooth Low Energy (BLE) and ZigBee, are not visible by monitoring IP network traffic.

The study, which quizzed 100 senior IT decision makers from large UK businesses, found 69 percent have already seen staff bringing wearables into the workplace.

This week, analyst Stifel suggested that Apple could deliver 19.6 million watches in 2015 and 27.8 million in 2016. Earlier this month Gartner projected that the smart fitness device market alone could grow to 91.3 million units by the end of 2016.

Genes said, particularly in the case of company-issued devices, employees will be concerned about the purposes to which personal data may be applied.

"Employees [say] 'Hey, my boss can see where I am. They know my whereabouts. Say they could track how much time I spend in the restroom'. So think about all the fitness devices linked with your phone, they do exactly the same," he said.

"Again, linking this to corporate usage also might pose a risk. It may pose a privacy data risk but it also might be an entry point for an attacker to get into your organisation because you have to pair this device with your device via Bluetooth. There might be security implications."

To satisfy privacy concerns, employees need to discover in detail how their data is being used by wearables, not just the primary purposes of the device, which might be to monitor fitness, but also the secondary purposes.

"What about all the free offers for fitness trackers? Is there a reason why they are free? Is this data shared and used by others? If something is free in the internet, you are the product to be sold. And this has been proved forever," Genes said.

He said there has already been growth in the number of corporate apps that tap into the capabilities or wearables. "I have a complete selection when I look at my Pebble. What could you do, for example, with two-factor authentication? In theory, you don't even need your phone anymore to authenticate yourself to your corporate network because you could have key generators on your watch," he said.

This type of feature has clear security implications, which is why company IT departments need to test forensically every enterprise app, whether it runs on a smartwatch, smartphone or computer, before approving it. Without such checks, the app might provide a perfect scenario for a security breach, according to Genes.

"If I get a list of all your employees and they're standardising on a certain smartwatch device, and I issue them with a Trojan so I get to see every email on the watch, even if it's just a subject line — it will immediately tell me what's going on within the company," he said.

"If I can't attack it from the corporate network and from the Exchange server but get it for free from the watches, why wouldn't I do it?"

Another potential area of concern is the vulnerability of services storing the personal data online.

"The problem is all these devices normally aggregate the data via a third-party cloud service. How safe is this cloud service?" Genes said.

"If I hack this cloud service, I not only get your profile, I get the profile of your employer, I get your working habits, which then makes you an easy target for phishing and attacks to get into the corporate network."

Along with measures such as employee education, it is important to develop a wearables policy and to avoid being Draconian.

"Where people go to overkill and stop it all, they're driving people into bringing their own devices and then you can't manage it at all. So don't be too strict," Genes said.

"You have to do risk management. There is no 100 percent solution for any aspect of security. You have to figure out what is your acceptable risk."

Data being collected by a third party might be anonymous but if it is being correlated with usernames and phone geolocation information at the back-end, there are obvious privacy and security issues.

"Maybe your CEO is sharing all this data but based on this it might be interesting to figure out what kind of merger you're planning next because people will figure out his current geolocation because he shares too much," Genes said.

"It all depends on the kind of organisation you are. The more stuff you bring into the workspace, the higher the risk that something is leaking out. When these things are sharing data with each other, could you really be sure that every device in the sharing chain is safe?

More on wearables

Editorial standards