All the buzz at the Consumer Electronics Show in Vegas last month was on wearable technology. If you've been living on the Moon for the past year and don't know what I'm talking about then take a look at Google Glass or the numerous imitators coming to market; smart watches like Samsung Gear or the Pebble; and even innovations like the Oakley Airwave smart ski goggles. Along with the appearance of some of these products in online stores and on the high street have come alarming tales of security vulnerabilities. However, it's time for a reality check. There's no immediate risk to wearables: we should instead focus more effort on securing our smartphones.
All of the wearable gadgets that seem to garner so many column inches these days have Linux-based operating systems adapted specifically for that device. Added to this is the fact that penetration is still pretty low. Google Glass is still in prototype testing with a very small and select group of “Glass Explorers” while Samsung has slashed the price of its Gear smart watch in some markets after rumours of poor sales. In other words, there simply aren't enough people using one homogenous system to make it worth the bad guys' while investing time and money into researching a vulnerability. It's highly likely that, given time, a proof of concept hack could be discovered for nearly all wearables. But it's highly unlikely that a master hack compatible with the majority of products on the market could be found.
It's the smartphone, stupid
So where does that leave us? Well, it's possible that wearables could be used in a targeted attack, where the cyber criminal is not looking to infect a large number of users but only a specific organisation. It's possible, but just not likely, for several reasons. First, the wearable gadget is usually a companion device for a smartphone. This means it has minimal input, minimal output, minimal storage, and so on. In short, it has nothing on it worth hacking. Smartphones, on the other hand, are a treasure trove of personal data and a gateway to online accounts and corporate networks; there is one homogenous and highly insecure OS used by the majority of users globally (Android); and it is incredibly easy for even non-technical cyber criminals to find, on underground forums, attack toolkits and instructions on how to launch attacks.
If in the future this changed, and smartphone security – especially in the Android ecosystem – became much stronger, then wearables may become a more attractive target and used as an infection vector for your phone. Once again, though, it's a big ‘if'.
People have also talked about possible scenarios where Google Glass cameras could be hacked to spy in real-time on board meetings, or to steal users' credit card PINs. However, once again this relies on the assumption that penetration will reach a tipping point which makes it worth the hackers' while. That point is a long time away in the case of Google Glass. If it finally arrives, then such devices could simply be banned from important board meetings, as smartphones are in certain companies and government agencies today.
This is not to say we shouldn't be concerned about such theoretical scenarios and part of the white hat community's role here is anticipating where the threat landscape is headed and raising awareness. It's this kind of activity which keeps the vendors on their toes, urging them to release regular and more secure new iterations which disrupt attack campaigns and cost the bad guys time and money.
However, we need to be clear about where the major security challenges lie today. They're not swamping this nascent industry of wearable technology but can instead be found invading the cloud and mobile devices in ever greater numbers.
Contributed by Raimund Genes, CTO, Trend Micro