Modernizing Authentication — What It Takes to Transform Secure Access
The Apple Watch is arriving in the enterprise in increasing numbers, and it’s here to stay. According to a recent 451 Research survey of Apple Watch owners, 87 percent of respondents are either somewhat or very satisfied with the device and 79 percent say it either meets or exceeds their expectations.
With 83 percent of respondents saying they’re either very or somewhat likely to recommend the Apple Watch for a friend or colleague, it’s worth examining what its arrival could mean for the security of enterprise data.
"The more ways we make data more convenient, the more risk there is to access the data and access things without your knowledge," Lookout CTO Kevin Mahaffy said in a recent interview with CNBC. "Just like adding another door to your house, it’s just adding another way for bad guys to get in."
Smartwatch Security Concerns
A recent HP Fortify study of 10 popular smartwatches (HP didn’t identify which brands were tested) found that every one contained significant vulnerabilities, including insufficient user authentication, lack of transport encryption, insecure interfaces, insecure firmware and privacy concerns. In 90 percent of cases, the study found, communications to and from the watch were easily intercepted.
In December 2014, Bitdefender researchers found it was surprisingly easy to intercept the Bluetooth communications between a Nexus 4 smartphone and an LG smartwatch. "Weaponizing this is only a matter of how much would someone have to gain from reading your conversations," Bitdefender senior security analyst Liviu Arsene said in a YouTube video explaining the findings.
While Bitdefender’s research wasn’t conducted with an Apple Watch, it points out the potential risks of passing information between smartphone and smartwatch without optimal security in place. "With quite a few wearables out there that rely on Bluetooth pairing to receive text messages and for various forms of chatting, security issues should be treated with the utmost seriousness," Arsene said.
Steps to Securing Smartwatches
Noting that "smartwatches will likely replace smartphones as a convenient way to control communication and manage daily tasks," HP Fortify’s report recommended that enterprise security teams take the following steps to improve smartwatch security:
- Ensure TLS implementations are configured and implemented properly
- Protect user accounts and sensitive data by requiring strong passwords
- Implement controls to prevent man-in-the-middle attacks
- Build mobile applications (specific to each ecosystem) into the device – in addition to any vendor-provided or recommended apps
For many companies, accepting the Apple Watch in the workplace also means updating BYOD policies to incorporate wearables, reexamining enterprise mobility management solutions to assess what controls they can provide for the Apple Watch, and considering how security awareness training might promote secure use of the Apple Watch in the enterprise.
Tim Erlin, director of IT security and risk strategy at Tripwire, told eSecurity Planet that while it’s tempting to see the Apple Watch as a material change for enterprise security, it’s unlikely to shift the overall balance much. "While the watch does present an additional potential target for attackers, it’s materially tied to the iPhone and to the Apple ecosystem, both of which are already targets," he said.
In a recent podcast, Tripwire Manager of Security Research and Development Tyler Reguly also pointed out that the Apple Watch benefits from being physically attached to your body.
"Your phone is loose. You can leave it on a table in a restaurant; you can have it fall out of your pocket," Reguly said. "Your Apple Watch is fastened on your wrist, and … as soon as it’s unstrapped from your wrist, it locks itself. So you’re not going to have a loss of information through loss of the watch."
It's the Apps, Stupid
The introduction of apps, Erlin said, presents a far greater risk than the introduction of the Apple Watch.
"It’s most accurate to think of the apps space as a whole, rather than being limited to the watch," he said. "In most cases, the apps don’t create listening services on the devices that are open for direct attack. Apps are more likely to be compromised in the supply chain, through a man-in-the-middle attack or via malicious data being provided to the app."
A vivid example of that kind of threat was recently provided by the discovery of the XcodeGhost malware for OS X and iOS. The malware was repackaged into Xcode installers, which were then used to create legitimate apps that were sold and distributed via the official Apple App Store, potentially infecting millions of users worldwide.
As a result, Erlin said, it’s important for enterprise IT departments to approach the Apple Watch with caution – and with a focus on the security of the apps more than the security of the watch itself.
"While the Apple ecosystem continues to work out the best practices for managing these new devices, the best approach for enterprises is to manage access to their data carefully," Erlin said. "Before rolling out a fancy new Apple Watch app with access to corporate data, ask the tough questions about how you would deal with a breach through that app."
It’s not just about straightforward data exfiltration; malware that impacts an Apple Watch app could take a variety of forms. Researchers at the University of Illinois recently demonstrated that it’s possible to use a smartwatch’s motion sensors to determine what a user is typing on a keyboard.
"We would just like to advise people who use the watch to enjoy it, but know, 'Hey, there’s a threat,'" researcher Ted Tsung-Te Lai said in a statement.
While the University of Illinois researchers used a Samsung Gear Live smartwatch, they stated that any wearable device using motion sensors – such as the Apple Watch – could be vulnerable to the same exploit.
Smartwatch Security Benefits
It’s not all bad news. The Apple Watch can also bring several security benefits to the enterprise. Duo Security and Authy are now offering two-factor authentication apps for the Apple Watch. Several password management solutions, including 1Password, Dashlane, Keeper, LastPass and Zoho Vault, now enable users to find and view saved login credentials on an Apple Watch.
While it might not seem like a significant benefit to be able to generate a one-time passcode or check a complex password on your watch instead of your phone, the ease of use of any security solution is crucial to its adoption – and making it as simple as a glance at your wrist can have a huge impact.
Other apps, such as MicroStrategy’s Usher for Apple Watch, can turn the Apple Watch into a digital key, providing users with secure access to offices, business systems and devices with a gesture or tap. "Apple Watch is the ideal platform to replace the password, plastic card and metal key," MicroStrategy CEO Michael Saylor said in a statement.
While there may be some legitimate concerns regarding the arrival of the Apple Watch in the enterprise, there’s no denying its popularity. The watch is here to stay, and correctly deployed and managed, it has an enormous amount to offer.