Holy sweat! Wearables have THREE attack surfaces

[LASER_oneXM]

The device, the app and the cloud, and your development lifecycle isn’t fit enough to catch up


Black Hat Asia Wearable devices – and anything that relies on an app to help with configuration – has at least three attack surfaces and your existing secure development lifecycle probably isn’t going to cope with the complexity that creates.

So said Kavya Racharla, a security research manager for Intel’s Sports Group, and Deep Armor founder and CEO Sumanth Naropanth at the Black Hat Asia conference in Singapore today.

The pair explained that a typical wearable is developed in a hurry – often six months from conception to shipping – which doesn’t leave much time to consider all the possible security SNAFUs.

Wearables themselves have predictable security requirements: they’re computers with storage and a networking connection. But because wearables are for personal use, they can also leak personal data. Racharla said her research has revealed wearables that store the text used for voice prompts in plaintext. If that same file also stores a user’s name, that’s in plaintext too.

The pair added that the issues they’ve described aren’t unique to wearables: plenty of industrial devices are now provisioned with a smartphone app, then talk to a local gateway or directly to a multi-tenanted cloud service. Those devices have three attack surfaces, too. And as we all saw when the Mirai botnet sprang up in video cameras, all an attacker needs is one to do bad work.