What's the next frontier in consumer gadgetry? Many of the biggest technological advances of the past 30 years have been in software – think Microsoft Windows commodifying IBM PCs, or Android and iOS displacing bare-bones feature phone operating systems throughout the developed world. Nevertheless, end users and journalists alike clamor for new hardware, and that means something that isn't a PC, smartphone or tablet.
There are plenty of candidates (some of them, like Google Glass, have so far failed to catch on), but the smartwatch is definitely one of the most talked about post-smartphone form factors. Google's nascent Android Wear program already has a few manufacturers on board, while Apple may be working on similar, albeit likely more vertically integrated, products for release later this year.
It would be surprising if the smartwatch market were ever close to the size of the one for smartphones. Even as a fringe gadget, though, the smartwatch could have implications for cybersecurity, as an endpoint within the emerging Internet of Everything. Compared to IoE sensors in trash cans or lampposts, smartwatches are much closer to end-users, making them ideal conduits for surveillance as well as malware distribution.
Smartwatches, Android and the rise of mobile malware
In a monthly security review document published in October 2013, Trend Micro researchers cited "new devices like smartwatches and new OS versions like [Android] KitKat" as potential enablers of the long-term rise in mobile malware. At the time, the firm had recorded more than 1 million malicious and risky Android apps, ahead of its projections that such a number wouldn't be reached until the end of the year.
Smartwatches typically have far fewer features and applications than other mobile devices, but they can still become security and privacy liabilities for several reasons:
- Data connections to smartphones: The small size of smartwatches means that they usually don't have their own cellular or Wi-Fi radios. Instead, they rely on Bluetooth to communicate with the user's smartphone, which runs more or less the same OS as the watch. Accordingly, a large number of threats can already address smartwatches by way of Android.
- Plaintext transmission of information: Smartwatches and similar wearables, such as health-tracking wristbands, contain many sensors- accelerometers, gyroscopes and motion detectors – for quantifying the user's activities (i.e., number of steps taken or calories burned). As discussed above, this information is wirelessly transmitted back to the smartphone, but often in plaintext. Someone using a Bluetooth scanner could probably intercept it without touching any of the user's devices.
- Easily discoverable authentication and identity: Although some smartwatches feature iris scanners for secure biometric authentication, passwords may also be entered via the device's touchscreen. At the 2014 Black Hat conference, one researcher demonstrated how it was possible to lift passwords from a smartwatch or smartphone by monitoring its user with a camcorder or heads-us display like Google Glass. Similarly, the unique identification codes used by many IoE endpoints makes it easier to track them than smartphones.
Overall, smartwatches have not been implicated in any breakthrough vulnerabilities or major incidents yet, but they have not been hardened against common cyberattack techniques, either. Their connections to Android (and soon perhaps iOS) and a propensity to leak information via Bluetooth and large, bright displays means that they should be taken seriously as endpoint security risks.
The smartwatch as part of the Internet of Everything
The IoE may someday encompass billions of IP-enabled devices, many of them out of sight, such as sensors embedded in automobiles, kitchen appliances and home security systems, all of which communicate with the cloud much like a PC or smartphone does today. In contrast, smartwatches and devices such as the Nest Thermostat are akin to the front-end of the IoE – non-traditional computers that collect information directly from users and then relay it to the rest of the IoE.
Lest someone think that a smartwatch is just a dumb terminal, many of the early Android Wear designs, such as the LG G Watch, can access an impressive suite of Google services, including Google Now, Gmail and Hangouts. Plus, the LG model has 512 MB RAM, putting it on par with 2011's iPhone 4S in that respect. While smartwatches will always constitute a small sliver of the IoE, the industry behind them was worth $700 million in 2013 and could top $2.5 billion in 2013, with Samsung leading the way among manufacturers early on.
The ingredients – capable technology, support from well known OEMs and a new hardware form factor – are there for a major boost to the wearables market from smartwatches. So what are the risks? The aforementioned vulnerabilities, such as plaintext data transmission, may be one of surfaces that cybercriminals go after as they look for ways to manipulate this new class of technology.
"[T]here's the huge security question of what the security implications of connecting these kinds of devices to the Internet will be," wrote Christopher Budd of Trend Micro in a January 2014 blog post. "Every time we connect a new class of device to the Internet we learn the hard way how they can be attacked and subverted."
Security for the smartwatch age
Certainly, many of the issues that first made PC security a necessity – e.g., malware delivered via compromised websites, vulnerabilities due to outdated/unsupported software – did not go away in the transition to mobile. Will they persist as computing is extended to a wider range of devices?
There's cause for optimism with smartwatches and other wearables, since they biometric data they can so easily collect could be used for multi-factor authentication that is safer than password-based mechanisms. But this contribution to security shouldn't mask the risks associated with extending IP connectivity to more endpoints than ever before.
The smartwatch market is still in its infancy, so there's time to get out ahead of security issues. Privacy and data protections should be front and center concerns for enterprises, consumers and device manufacturers as new devices loom.