Cyber-risk May Take a Bite Out of Apple Watch

Apple has unveiled the Apple Watch—a smart wearable that will function as a Mac-on-the-wrist. It has tech-heads excited, but security researchers warn that consumers should be careful of the potential cyber-risks that the gadget’s on-board connectivity represents.

“Our goal has always been to make powerful technology more accessible,” Apple says of the watch. “More relevant. And ultimately, more personal. Apple Watch represents a new chapter in the relationship people have with technology. It’s the most personal product we’ve ever made, because it’s the first one designed to be worn.”

And therein lies the first problem, according to some.

“I don’t feel the need to walk around with a beacon on my wrist that wouldn’t even last long enough if I was caught in an avalanche,” said Brett Fernicola, chief information security officer at STEALTHbits Technologies, in an email. “I’ll pass on the smartwatch craze and stick to a traditional watch that does one thing well, tell time without ever having to come off my wrist or put my personal information in danger.”

The danger comes from the fact that the watch will come equipped with Wi-Fi and Bluetooth, which is of course a boon for its role in the internet of things (IoT). Imagine that it can automatically upload GPS-based running route information to a maps app on an iPad, for a topographical representation of one’s marathon training, progress, say. Or, a smart fridge can send a reminder to the watch when the wearer enters a grocery store, noting that the milk is past its expiration date. It can happen. And probably will.

But the downside of that is an increased threat surface.

“The fact the device uses both Wi-Fi and Bluetooth will provide a great deal of interoperability and additional functionality for the watch; however, it also comes at the price of increasing the attack surface for the device,” said Ken Westin, senior security analyst at Tripwire. “Given the fact that it is a high profile device which will have wide adoption, you can bet security researchers and hackers alike will be poking and prodding the watch to find new vulnerabilities as well as take advantage of existing attack vectors leveraging weaknesses in both Wi-Fi and Bluetooth.”

He added that the watch can be used to track individuals in physical spaces, which has both security and privacy implications, not just from a malicious attacker's perspective, but also overzealous marketing. 

“The fact the Apple Watch also integrates third-party apps could also increase security and privacy concerns,” he said.

Of course, in theory, none of this is new, per se, as these are all threats and concerns that hold true with the smartphones that most of us have in our pockets. And, Samsung and others have had smart watches on the market for some months. Philip Lieberman, president at Lieberman Software, is taking a wait-and-see approach.

“Given the demos and its wireless nature, there appears to be a new security vulnerability surface area for this device whereby the local phone-to-watch device network may be subject to wireless skimming/spoofing,” he noted in an email. “As to how vulnerable the design is, that will remain a mystery until the device is released and the full community of researchers have had a chance to review and sniff the traffic between the Apple devices as well as review the SDKs for the new device.”

What’s Hot on Infosecurity Magazine?