Beware wearables and IoT: Kaspersky on security risks
By Digital News Asia September 22, 2014
- Company looks into security implication of IoT and wearables
- Vulnerabilities found in Google Glass and Samsung Galaxy Gear 2
WEARABLES – smartwatches and miniature electronic devices like Google Glass – are the new class of personal connected devices that allow access to the Web and applications with even greater convenience than smartphones and tablets.
However, this plethora of new devices also brings several new security risks that their owners will have to address, Kaspersky Lab said in a statement.
The security company said it has prepared a series of reports on the risks of connected devices and the hyper-connected world in order to alert the public to the security implication of the Internet of Things (IoT).
Recently, Kaspersky Lab researchers Roberto Martinez and Juan Andres Guerrero looked into Google Glass and Samsung Galaxy Gear 2, exploring how they could affect people’s privacy and security.
Google Glass and the Man-in-the-Middle
There are two ways to surf the Web from Google Glass: Through Bluetooth pairing with a mobile device that shares its data network connection, or directly through WiFi, the two researchers said.
The latter gives the user more freedom since it doesn’t require a separate mobile device in order to get to the Web. However, according to Martinez, this functionality also means that the Glass is exposed to network vector attacks, particularly MiTM (Man-in-the-Middle) attacks when a communication between two systems can be intercepted.
This was discovered in an experiment conducted by the Kaspersky Lab researchers: They attached the device to a monitored network and checked the data it transmitted. The results of the captured data analysis showed that not all the traffic exchanged between the device and the hot spot was encrypted.
In particular it was possible to find out that the attacked user was looking for airlines, hotels and tourist destinations. In other words it was possible to perform a profiling task, a simple form of surveillance.
“We admit that it is not a very damaging vulnerability, but even so, profiling via metadata from Web traffic exchange could become the first step of a more complex attack against the device’s owner,” said Martinez, who performed the investigation.
Galaxy Gear 2’s spying potential
As Kaspersky Lab researcher Guerrero discovered when he examined his Samsung Galaxy Gear 2, the device is deliberately designed to make a loud noise and warn people nearby if it is being used to take a photo.
A deeper look into the software of Galaxy Gear 2 revealed that after rooting the device and using Samsung’s publicly available proprietary software tool Odin, it is possible to enable Galaxy Gear 2 to take pictures with its embedded camera silently.
This obviously opens the door to possible scenarios in which Galaxy Gear 2 could violate other people’s privacy.
Silencing the camera is not the only way to turn the smartwatch into a spying tool, Kaspersky Lab said.
Dedicated apps for Galaxy Gear 2 are loaded onto the device with help of Gear Manager, a special app by Samsung designed to transmit an app from the smartphone to the smartwatch.
As Guerrero discovered, when an app is installed on the smartwatch’s operating system there is no notification shown on the watch display. This obviously makes targeted attacks involving silent app installation possible.
“At this time there is no evidence to suggest that wearables are currently being targeted by professional APT (advanced persistent threat) actors,” Guerrero said.
“However there is a twofold appeal presented by wearables that make them a likely future target if they are widely adopted by consumers. In future the data collected by wearable devices is going to attract new players to the cyber-espionage scene,” he added.
More information about Google Glass and Galaxy Gear 2 smartwatch security risks can be found on Securelist.com.
Google’s next frontier: Everything, everywhere
Samsung at CES: Diversification the key to growth
New Apple wares excite … only up to a point: Analysts
Malaysia’s WaryBee in crowdfunding drive on StarHub platform
Forget e-government, it’s smart m-government next
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.