Consumers are purchasing smartwatches to pair with their mobile devices to track health information, but also to access corporate email, calendar, contacts and corporate apps. This can present a risk to enterprise data leading to possible data loss, but to what extent?
According to a report released at Black Hat 2015 by MobileIron, most organizations began making smartwatch security a priority with the release of the Apple Watch back in April. However, smartwatch security posed risks prior to the Apple Watch release as demonstrated by the vulnerability identified and reported to Samsung for the Samsung Gear 2 Neo in March 2015. Samsung quickly issued a software update in that case.
MobileIron’s Security Research Team analyzed the myriad of various smartwatches (the Apple Watch, Motorola Mobility Moto 360, Samsung Gear 2 Neo, and Shenzhen Qini U8) to identify the risks to enterprise data by pairing them with a mobile device that is connected to enterprise resources, such as email or calendars. The team researched smartwatches that can be paired with Android and iOS devices. Some can pair with both the Android and iOS platforms. A pairing app is required for all of the smartwatches tested.
While most pairing apps were benign, the Shenzhen Qini U8, a less common Chinese-manufactured smartwatch, presented some suspicious behaviors that could pose a risk to personally identifiable information such as access to downloaded and cached content, phone hardware information and more. This particular pairing app was downloaded outside of the Google Play store, available from an unknown IP address in China.
Once the Shenzhen Qini U8 was paired with the Android test smartphone over Bluetooth, data began to sync to the Messaging app. Notifications were received and permitted apps were allowed, including email. Contacts also synced to the device automatically. The only obvious security mechanism built into the device is the “anti-lost” feature that simply alarms when the device is lost, stolen, or simply out of range with the paired smartphone. There is no passcode option to protect the data on the device.
The pairing app has the ability to retrieve information about the mobile service carrier, read the root file system, download cache, and collect the phone number, IMEI and more.
Outside of the Qini U8, one of the most important aspects discovered during the research is the difference in passcode protections of smartwatches when compared to mobile devices.
Most people are familiar with setting a mobile device IN or passcode as a fundamental security best practice to avoid data loss in a lost or stolen scenario. Once the passcode is set, a time-based policy on the device locks the device, say after 15 minutes of non-use.
Smartwatches use the passcode in a much different way. They commonly use a proximity-based approach to protecting the smartwatch. The passcode protection is enabled when the smartwatch loses connectivity to the mobile device (typically Bluetooth), for example, if it was stolen. Furthermore, the Apple Watch uses sensors to determine if it’s on the user’s wrist and enables the passcode protection when the sensor detects that it has been removed.
In all of the smartwatches tested except for the Qini U8, the passcode was an option. The Apple Watch was the only one that prompted for a passcode during setup.
“Smartwatches present various risks to enterprise data,” MobileIron noted. “Some smartwatches are less secure than others. Security for these devices needs to continue to mature, much like it did for smartphones and tablets. Fortunately, some mobile device management (MDM) and enterprise mobility management (EMM) vendors provide containerization to separate enterprise data from personal data.”
The firm added that MDM and EMM containers or personal information management (PIM) solutions for Android and iOS can provide protection against accessing corporate email and data from a smartwatch. This provides a balance between allowing smartwatches to be paired with managed devices and limiting what enterprise data can reside on the smartwatch.