The Apple Watch. We know it's pretty and new and sexy and fun to use. We know it will be a great complement to other mobile devices. We know that Apple products in general have an aura of security about them but that they are not completely immune to hack attacks. We know we want one.
But last month Kevin Mahaffey, chief technology officer at the security firm Lookout, threw a wet blanket over all that enthusiasm with a worrisome statement.
"The more ways we make data more convenient, the more risk there is to access the data and access things without your knowledge," Mahaffey said. "Just like adding another door to your house, it's just adding another way for bad guys to get in."
So we decided to dig deeper, and ask several more security experts for some perspective in this CMSWire Discussion Point.
Is the Apple Watch safe for home and work use?
Ryan Spence, Director, Enterprise Mobility Management, MOBI
Spence specializes in the strategic implementation, design and deployment of mobility platforms. As the director of Enterprise Mobility Management for managed service company MOBI, he tasked with helping companies secure their data and devices. He speaks to corporate and public groups on mobile strategies, security, design and navigating the mobile age. He's also earned mobility certifications from Apple (Mobile Technical Competency) and CompTIA (Executive Certificate in Mobility). Tweet to Ryan Spence.
The Apple Watch is not security as usual – it's an extension of a very powerful device that can result in a security risk if users are unaware of the information that’s available on this new wearable.
This new wearable device expands the data set freely distributed over the Internet, often at the unwitting acceptance of its wearers.
Not only can Facebook and Google now automatically know your location anywhere on the planet, they can also know your heart rate and activity. Give them these three factors, they can deduce your mood, behavioral economics, choice structures and demographic probabilities.
Let’s imagine that a vice president of product development for a large US company is visiting China. He registers a high heart rate and low physical activity. Certain assumptions can be made about his activity, sparking curiosity for his whereabouts or well-being. This can be tempting information for companies to reference – or, even worse, for hackers to exploit.
The more pertinent threat? Since the Apple Watch contains your calendar, contacts, email and more, this information is viewable even when your iPhone is out of range or powered off. This poses a great threat, with it being yet another device that contains all of your data.
Applications can also automatically load on the Apple Watch upon configuration with a connected iPhone. It’s critical to be aware of the applications that will load automatically versus those that need to be downloaded.
Organizations can help address this situation by sharing an employee policy that outlines how the Apple Watch should be used and the information that’ll be accessible on the device.
Robert Siciliano, CEO, IDTheftSecurity.com
Siciliano describes himself as a "business builder, strategic marketer, security analyst, published author, television news correspondent, actor" and head of IDTheftSecurity.com. He is also a member of the US Department of Homeland Security’s Coast Guard Auxiliary Service. A four-time Boston Marathoner and former private investigator, he said he strives to inform, educate and empowering people to stay safe in a world in physical and virtual worlds. Tweet to Robert Siciliano.
One problem with the Apple Watch is that it is new – and there will be a rush by both researchers and hackers to be the first to find its flaws. Someone, somewhere will want to attach his or her name to an Apple Watch hack. Hacking a $12,000 device will put any hacker in the big leagues.
It is correct to say that most consumers have the perception that Apple products are "safe" and for the most part that is true relatively speaking. But they do get hacked.
Numerous recent news reports point out flaws with Apple iOS security and other issues is raising concerns with industry insiders. In fact, Blackberry is now being brought in to look at Apple's security. Even Apple's security feature Touch ID, which has been out for a while now, still gets hacked occasionally.
But I would say the bigger concern at the moment is the vulnerability in wireless communications between the watch and the iPhone. Researchers have demonstrated vulnerabilities with Bluetooth -- which means any sensitive data in transit may be sniffed out. And WiFi will always be an issue no matter the mobile device.
A lot of people don’t realize that Wi-Fi is inherently insecure. In a corporate environment, Wi-Fi encryption is generally deployed. But in a BYOD environment -- unless mobile device management software is deployed -- then it will be the Wild West for Watch users.
Craig Young, Security Researcher, Tripwire
Young is a computer security researcher with the Vulnerability and Exposure Research Team (VERT) at Tripwire, a provider of advanced threat, security and compliance solutions. He publishes frequent security posts and was recognized in 2013 for his role in disclosing vulnerabilities in the Google eco-system. He has also given talks at BSides SF 2013 and Defcon 21 on vulnerabilities he discovered in Google authentication systems and also identified vulnerabilities in various products and open source software projects. Tweet to Craig Young.
On the surface, there aren’t many new attack vectors for enterprises to worry about from the Apple Watch. For the most part the Apple Watch is just a secondary screen for an iPhone. It’s a way to view incoming messages and access Apple Watch specific interfaces included in select iOS apps.
However, there are some new risks introduced by the increased the Apple Watch’s use of data transmissions across low-energy Bluetooth and Wi-Fi -- both of which have well documented security shortcomings.
Equipped with a roughly $100 gadget, an attacker can observe the information needed to start eavesdropping on data transmitted over low-energy Bluetooth. While it is unclear to me at this point how Wi-Fi is used by the watch, many attack tools for Wi-Fi networks exist and it is entirely possible that a number of these attack techniques may be used to subvert the Apple Watch Wi-Fi link.
These communication vulnerabilities could expose text messages, emails, and other data shared between the watch and phone but the risks don’t end there. App developers can introduce new security concerns when extending functionality to the watch interface.
One obvious example would be apps like ‘Knock’ which is designed to unlock a Macbook without a password. Extending trust from a corporate laptop to a phone or smart watch may enable attackers to use that trust by impersonating the smart device making it possible for a lost watch to become the potential source of a corporate data breach.
The possibility of corporate espionage stemming from a compromised smart watch cannot be overlooked because of the presence of a microphone on the Apple Watch.
While phones could also fall prey to this style of attack, it is worth noting that phones often times go into pockets or purses where the device is probably locked and audio would generally be muffled. The Apple Watch does not have these constraints because it generally stays on the owner’s wrist in a prime position to surreptitiously eavesdrop on its surroundings.
As much as Apple would like to pretend this isn’t the case, researchers have shown time and again that it is not only possible to get malicious applications onto the App Store but that in some cases it is down-right easy. Even without malicious intent from the developer, applications using the watch’s microphone may inadvertently create security hazards by failing to properly protect transmitted audio.
Title image by Asa Aarons Smith/all rights reserved.