Wearables were one of 2014’s defining tech trends, and will likely make the list again at the end of 2015. The Apple Watch is the device everyone’s focused on, but there are numerous other competitors. Microsoft has a new fitness band. TAG Heuer is creating a smart watch. Research firm IDC predicts that wearable shipments will reach 45.7 million this year, an increase of over 230 percent from 2014. Everybody wants in.
But while consumers and tech journalists are waiting in anticipation of these devices, company IT departments are keeping a wary eye on them. One of the key questions for them is how these devices will impact the workplace. Are they harmless, or are they nearly invisible security threats waiting to bring down the network?
Businesses have been dealing with the influx of consumer products into the workplace since the spread of smartphones began in 2007. In some ways, wearable devices are an extension of this trend. Fitness tracking devices, such as the Fitbit or Jawbone UP, are dependent on smartphones for pairing and offloading their data. Even more complex devices like the Apple Watch rely on a smartphone for any intensive processing tasks or for features like GPS navigation.
These devices do pose threats however, and companies can’t rely on existing BYOD policies to keep themselves secure.
Wearable devices communicate closely with smartphones, and may have indirect access to the networks that these phones connect to. Because current wearable devices lack the security features found in smartphones, this makes them the so-called "weak link" in your system. If a hacker can breach the security on a smart watch, it’s possible they could gain access to your corporate network as well. Using multi-factor authentication for network access is one way to guard against this.
The design of wearable devices can also undermine security. Most wearables have limited screen space (or none), and communicate through vibrations and taps. This allows consumers to easily pair their devices with their phones. It also makes it easy to trick users to into pairing their devices with unknown third parties. In a recent experiment, a researcher from Kaspersky Lab found that numerous smart bands allowed third-party devices to connect with them, and in some cases extract data. Without a screen or clear way to identify what exactly is trying to pair with their smart band, users may simply tap their device to confirm its request, assuming it to be harmless. Educating employees on proper security protocol is the best way to prevent these type of attacks.
The Upside to Limited Hardware
The good news for IT departments is that even if a hacker gains access to a wearable device, there often isn’t much there. Most current devices collect only a handful of metrics, such as step counts or activity patterns. A lot of devices also offload their data to the cloud every few hours to free up additional space. This means a hacker that goes to the work of tricking a user into pairing with a third-party device will likely only gain access to a few hours of step counts.
Smart watches are a potentially juicer target for hackers — but still relatively low risk. Most communication between wearable devices and cellphones occurs via Bluetooth. It’s encrypted with a six-digit PIN. This PIN can be cracked using brute-force methods, but the hacker must be in close proximity of the device. Once the communication channel has been breached, they can see the plain-text communications sent between the devices. Even so, unless your company is working on top-secret information (and using wearables for data collection or other purposes), it’s unlikely that a hacker could gain too much from this — even for corporate espionage.
These safety measures exist due to the limitations of current hardware. As wearable devices become increasingly powerful, there will be more to gain for hackers and greater consequences for businesses. The low profile of wearable devices makes them difficult for IT departments to strictly regulate, which means training employees on the proper precautions and security measures should be a priority. As technology becomes increasingly decentralized, and the lines between work and personal devices is further blurred, corporate networks will only be as strong as their weakest links.