Connected items, and more particularly wearables items, are becoming a real hit for the last few months.

This article is not aimed to handle with all the security aspects of connected devices since there is a great number and diversity of connected items (cars, bracelets, connected industrial captors, home automation…). An article wouldn’t be enough to deal with them. The objective of the article is to only focus on the impacts arising in companies due to the introduction of smartwatches in the IT landscape. Indeed, these objects can be connected to some components of the Information System (smartphone and laptop) and therefore is expending the IT’s exposure surface to threats.

Use Case

A CEO has just purchased a new fancy High Tech toy: a smartwatch. He decided to synchronize his personal smartwatch to his corporate smartphone and can now access to his professional emails from his wrist.

Let’s take a closer look to the synchronization between the watch and the smartphone: both devices use Bluetooth technology to communicate, and more specifically Bluetooth LE (Low Energy) in order to reduce the battery consumption.

Bluetooth is not well known for being a secure communication protocol, and has experienced several flaws in the past (6-digit paring PIN, non-encrypted flow, continuous broadcast of signals…). However, the new versions introduces some security settings, such as encryption or user interaction to explicitly approve a new connection from a Bluetooth device.

The security level of the communications depends on the Bluetooth version chosen by the editor, as well as the implementation (or not) of the security settings within the application. Since these kind of settings induce more important battery usage, editors commonly chose to not implement them.

What are the risks related to this new trend?

So that our CEO can receive continuously his emails, Bluetooth is always enabled on his smartphone and smartwatch. Consequently, the following scenarios can happen:

  • Eavesdrop and/or modification of the signal (and potentially sensitive data) between the smartwatch and the smartphone: a hacker can for instance learn about the next M&A of the company, or the forthcoming social plan by intercepting the CEO’s email.
  • Intrusion into the phone or smartwatch because of the “wide” exposure surface to threats (Bluetooth being continuously enabled): a hacker can collect all the data keyed by the CEO on his smartphone (password, sensitive information written in an email…)
  • Getting into other IT components via the intrusion of the smartwatch and/or phone: a hacker can install a malware on the phone or smartwatch that will be downloaded onto the CEO’s laptop when he will recharge the batteries of his devices using USB. The hacker would then be able to remotely take the control of the CEO’s laptop.

This use case can be transposed to other connected devices, as for instance cars synchronizing with smartphone, or connected bracelets that synchronize with corporate phone or workstation.

In a nutshell, what can be done?

Solutions to put in place in front of this new trend are not obvious. It’s difficult to forbid smartwatch since it’s a personal equipment (that can nevertheless be connected to professional devices). Firstly, a risk assessment linked to this new use can be handed out to better understand this new phenomenon close to BYOD.

A drastic solution would be to disable the Bluetooth on all the corporate devices via a MDM. To do so, a MDM should be in place within the organization on the one hand, and on the other hand the organization should demonstrate a great will and patience to deal with unhappy users (as they won’t be able to synchronize their smartphone to their smartwatch, or to their cars, which is not very understandable for a manager or director). This solution is efficient for this new trend, but not very feasible in real life.

Other more realistic solutions can be studied, as for instance awareness on this new matter or the formalization of a clear framework regarding the use of these new objects that are considered as personnel and not controlled by the IT (prohibited use or tolerated use under some conditions?).