Do wearables increase cyber risk for business?

During the past year, security concerns associated with Internet of Things (IoT) devices have come into sharper focus. Yet the security issues associated with one IoT sector – wearable devices – remain quite blurred. Organizations can’t afford to forget to include wearables as they assess their cybersecurity vulnerabilities and craft their defensive strategies. 

Wearables tend to garner lots of attention when new products such as the latest Apple Watch debut, and then fall from top-of-mind until the next unveiling. But this device sector continues to grow at a steady pace – albeit almost entirely due to the embrace of wrist-worn fitness trackers and smartwatches. For now, other forms of wearables remain little more than a rounding error in this market. 

In its most recent assessment of the wearables sector, market research firm International Data Corp. (IDC) predicted that worldwide wearable device shipments, which reached 102.4 million in 2016, would grow to 237.5 million units in 2021. Watches and fitness wristbands shipped in roughly equal numbers last year, and accounted for about 96 percent of the 2016 wearable shipments. By 2021, watch shipments (64 percent of the total) will significantly outpace fitness wristbands (24 percent of the total), and smart clothing will start making an impact, capturing 9 percent of the market in that year. 

Because the vast majority of wearables today are paired with smartphones or some remote system with which they communicate wirelessly, there are various levels of security vulnerabilities and risks at play. Data stored on the device may be compromised, transmissions to and from the device can be intercepted or manipulated, and ultimately, the servers storing wearable data in corporate or cloud-based data centers can be breached. 

Sadly, for the devices themselves, security has often taken a back seat to attractive designs and popular functionality. This became apparent two years ago when a study conducted by HP Fortify found 100 percent of the smartwatches it tested were vulnerable to attack. Among the flaws HP Fortify found:  

  • no smartwatch offered two-factor authentication for its mobile pairing interface 

  • the use of encryption for communications and firmware updates was spotty 

  • all watches stored personal information that could be valuable to hackers. 

Exposure of personal information — ranging from health metrics to Social Security numbers — is a top security concern associated with wearables. However, these devices also pose threats to corporate data and systems. Given the popularity of the BYOD trend, for instance, many mobile phones today store both personal and corporate data. If a poorly secured wearable device is paired with the employee’s phone, the wearable could give attackers a route to access the phone’s corporate content. 

The scenarios for wearable-based vulnerabilities are as varied as the wearables themselves. During its short-lived tenure, for example, Google Glass was hackedallowing its video stream to be broadcast to anyone. Future iterations of video wearables – including those using augmented reality to superimpose content over real-world scenes – could potentially expose videos of everything from internal office scenes to sensitive computer screens. 

It can be difficult for organizations to keep track of the wearables their employees bring into their work environments, to say nothing of how hard it is to assess the security strengths and weaknesses of individual devices. Still, companies can’t afford to turn a blind eye to these devices. Any comprehensive security strategy must address the risks associated with existing wearable devices, and must evolve to encompass the future generations of wearables that will become increasingly common workplace accessories. 

Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.

Copyright © 2017 IDG Communications, Inc.