Holy sweat! Wearables have THREE attack surfaces

The device, the app and the cloud, and your development lifecycle isn’t fit enough to catch up

Black Hat Asia Wearable devices – and anything that relies on an app to help with configuration – has at least three attack surfaces and your existing secure development lifecycle probably isn’t going to cope with the complexity that creates.

So said Kavya Racharla, a security research manager for Intel’s Sports Group, and Deep Armor founder and CEO Sumanth Naropanth at the Black Hat Asia conference in Singapore today.

The pair explained that a typical wearable is developed in a hurry – often six months from conception to shipping – which doesn’t leave much time to consider all the possible security SNAFUs.

Wearables themselves have predictable security requirements: they’re computers with storage and a networking connection. But because wearables are for personal use, they can also leak personal data. Racharla said her research has revealed wearables that store the text used for voice prompts in plaintext. If that same file also stores a user’s name, that’s in plaintext too.

Wearables are now a two-horse race and Google lost very badly


Matters are further complicated by the fact that a wearable will often share data with several smartphone apps. One might record data, another control music, while a third sends TXT messages to the app. But the pair explained that Bluetooth shares its signal with all apps on a mobile device, creating potential leakage of personal information intended for consumption by an exercise-tracker into other apps or for malware dedicated to slurping the Bluetooth feed from a wearable device. Such concerns also assume that developers applied proper encryption to the wearable-to-smartphone link and implemented Bluetooth correctly. One slip and … you get the rest.

And then there’s the cloud, where many wearables store data and analyse it so that users [wearers – Ed] can get a picture of their performance. Mistakes as simple as a misconfigured AWS S3 bucket can cause trouble, while a simple XSS attack could expose personal data and even identify an individual wearable device.

To make life even more complicated Naropanth said he knows of circumstances in which a single wearable device has been rebranded by multiple companies, but all data resides in a single database. Under such conditions, developers need to exercise caution so that Nike customers remain separated from Adidas customers, to use Naropanth’s hypothetical example of the risks in play.

Racharla and Naropanth therefore advanced the idea of extensions to common secure development lifecycles to take into account the fast development cycles wearables demand. The pair recommended a development methodology that adds distinct lifecycles for security and privacy, plus the creation of an incident response plan should a wearable be found to be leaking data. That plan means that legal teams will need to be deeply involved in wearable product development.

The pair added that the issues they’ve described aren’t unique to wearables: plenty of industrial devices are now provisioned with a smartphone app, then talk to a local gateway or directly to a multi-tenanted cloud service. Those devices have three attack surfaces, too. And as we all saw when the Mirai botnet sprang up in video cameras, all an attacker needs is one to do bad work. ®

Similar topics

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022