With the Apple Watch's big release in two days and pre-orders already having sold out, the security implications of wearable technology and the Internet of Things have been front in center and for good reason. With widespread adoption of the Bring Your Own Device (BYOD) revolution in offices of all sizes today, MSPs have to educate their target audience on the importance of mobile security and encourage clients to establish use policies and response plans, should their devices become compromised.
Have you considered offering Mobile Device Management (MDM)? While one should always be wary of potential vulnerabilities in new gadgets and gizmos, the security concerns around Apple Watch can be mitigated if you encrypt the iPhone it connects with. Still, there are a few aspects of Apple's newest toy you should watch out for...
WIFI & Bluetooth Connectivity in Apple Watch Could Be Used as Another Access Point to Execute Malicious Schemes
The flashiest new timepiece on the market has IT security analysts concerned because it communicates with the iPhone via its WIFI and Bluetooth connection. What does this mean? If hackers attempt to attack the wearable device, there's concern that they could exploit this connection to compromise employees' iPhones as well. You may have a solid mobile device management (MDM) plan in place, meaning that connection would be secure through encryption, but experts are warning customers that cybercriminals could attempt to use the Apple Watch as a backdoor to gain access to their corporate network and sensitive data.
In CSO's Five security questions you should be asking about the Apple Watch, Maria Korolov explains this further by identifying the opportunity for hackers to eavesdrop on watch-to-phone communications. Although it remains to be seen the damage hackers can do, Ken Westin, senior security analyst at Tripwire, believes they will certainly explore the boundaries of the connection will full conviction and echoes the common security concerns surrounding the upcoming release.
"The fact the device uses both Wi-Fi and Bluetooth will provide a great deal of interoperability and additional functionality for the watch. However it also comes at the price of increasing the attack surface for the device." ~Ken Westin, Senior Security Analyst, Tripwire~
But how exactly would cybercriminals take advantage of this interconnectedness between the Apple Watch and iPhone?
Hackers can manipulate the connection between two devices through what are known as man-in-the-middle-attacks. When this connection hijacking (as it's also referred to as) is successfully launched, the attacker is able to intercept, monitor, save and mimic any traffic passing through the devices. If successfully deployed, you could think you're looking at the Google home page when in reality, you're accessing a malicious site controlled by an attacker who has intercepted the connection and sent a false signal to your device. You can see how damaging this would be once they have access to your system, and that's why mobile security is more pressing than ever.
In theory, if the connection between devices is encrypted, a man-in-the-middle attack cannot be executed because the hacker cannot break through and tamper with that traffic. That's one of the reasons MDM, which wraps users' mobile devices with an added layer of protection, is strongly encouraged to keep the data on the iPhone secure should the bridge between devices be breached.
I want to stress that the rules of network security are being rewritten as quickly as new IT vulnerabilities are discovered. To be safe, urge all clients to expand their IT policies to the Apple Watch, as well as any other wearable technology or "smart" devices they introduce into the office.
Looking to learn more about security vulnerabilities in Bluetooth connections, specifically? Kaspersky wrote an awesome blog post about how Bluetooth Connectivity Threatens Your Security. In it, they detail common cybercrime practices like "Bluejacking" and "Bluebugging."
Because it enables these outside apps, the Apple Watch presents another security concern for your client companies, if not properly addressed. Let's walk through two recent examples that practically happened in tandem last year.
Third-Party Apps Integrated with the Apple Watch Could act as a Gateway to the iPhone
Dropbox & Snapchat as Case Studies
Within the span of a week, hackers successfully captured roughly 7 million account credentials from Dropbox and 100K photos from Snapchat [source]. Both companies insist that this was done through third party apps that integrate with their services, not as a result of their own server breach. App developers can compromise these apps after being granted access to major apps like Dropbox and Snapchat, but before publishing in the app store. While the main apps giveth and so can taketh away, the damage has usually been done before they learn that malicious code has been added to the third party apps they're connecting with.
Because you can access apps on the Apple Watch's screen, you should expect attackers to try to exploit this connection and use it as a gateway to infect the iPhone it communicates with so as to gain access to more sensitive data.
How Can Clients Adjust Their IT Policies in Light of This?
It's important to help your clients understand that not all apps are high security. As Business Insider quotes Shaun Murphy, CEO of Internet security firm PrivateGiant in its related article, Here's How Hackers Could Be Stealing Data From Your Favorite Apps And Services:
"You don't know what's happening behind the scenes. At any point in time you send something through the app, that app can do anything it wants to it before it sends it through to Dropbox. And you would never know."
While these popular apps may be encrypted, you cannot assume the same security standard for the third-party applications they grant access to. Advise clients to be careful about which of these apps they download, and stress the need for a different, strong password for the login credentials.
If this is still not enough, InfoWorld's Galen Gruman shares how IT can manage the Apple Watch, explaining:
"By using Apple's iOS policies via an MDM server, OS X Server, or the Mac's Apple Configurator app, IT can manage which apps can be updated or removed, which personal apps' data can be shared with corporate apps and vice versa, when VPNs are used, whether Touch ID is enabled, when AirPrint and AirPlay are allowed, which networks can be accessed, password requirements, and whether and how Siri can be used."
Therefore, if you're concerned about clients' third party app usage getting out of hand, suggest they bake that into their IT policy!
Internet of Things (IoT) & Interconnected Systems
When it comes to the Internet of Things, Apple reigns as king. You can now connect your iPhone to your iPod Touch to your iPad to your Apple TV to your Macbook...need I go on? The network of interconnected systems is only going to expand as time goes on. Did you know that right now, the number of Internet-connected devices (12.5 billion) has exceeded our population globally (7 billion), with a projected total between 26-50 billion in 2020? While that's exciting to most users, consider all of the potentially exploitable endpoints. It's scary.
As IT service providers, you understand that as technology increasingly pervades the modern office and the digital lines between personal and professional become more blurred, your clients have to be prepared to address the accompanying security concerns. While I don't mean to raise alarm about the Apple Watch, MSPs can't just hit snooze and ignore these latest IoT implications. Don't be late to this party. Be prepared and proactive, and show clients how they can introduce this new product into the workplace once the proper measures are in place. All in due time.
- Ignoring Mobile Device Management: IT SNAFU Day 7
- The EMM Market Will Double by 2018: How MSPs Can Take Advantage
- 5 Crucial Tasks For IT Departments in The BYOD Era
By Meaghan Moraes
By George Anderson