The risks from corporate use of activity trackers and other wearables is low, some experts say -- especially in comparison to all the other security and privacy risks CISOs, CIOs and IT folks must worry about.
That said, as with any connected device, there is risk potential. For example, recent research suggests that devices such as Fitbits can be hacked (when the hacker is within close proximity). By focusing on accelerometers and other motion sensors, researchers at the University of Michigan and the University of South Carolina found that it’s possible to, among other things, use sound waves at different frequencies to add thousands of steps to a Fitbit. (Scroll down to read Fitbit’s response to the research results.)
Here’s what you should know about the security and privacy risks of wearables, and the best practices for minimizing those risks.
1. Wearable security is a legitimate concern
With all the security concerns that enterprise IT already have on their mind, do they also need to worry about wearables?
Yes, says Jeff Pollard, a principal analyst focused on security and risk at Forrester Research. For example, some fitness trackers can provide geolocation data “minute by minute to the cloud,” sharing employee as well as company locations. At the same time, “enterprise employees and consumers are opting in to data aggregation and analytics at a daunting scale,” he explains.
“Though IoT devices and wearables don’t necessarily create new security vulnerabilities, they reintroduce a lot of old ones,” says Steve Manzuik, director of security research for Duo Security, a cloud-based trusted access provider. Such devices are “like the wild West of easy hacking targets that many experienced with mainstream computing back in the 90s,” he says.
As with typical consumer IoT devices, wearables “in most cases don’t ship with built-in security and so they’re vulnerable to being compromised,” says Vinay Anand, vice president of ClearPass Security at Aruba Networks, an enterprise wireless LAN provider.
“From an enterprise IT standpoint, this could be particularly worrisome because of the channel wearables maintain with smartphones that adversaries could exploit,” Anand says. “As the wearables are usually connected to a variety of cloud apps and, depending on an organization’s BYOD policy, the corporate network, this can be a launch point for an attack. This means that malware and other forms of attacks can use that path to compromise the phone and then other resources inside the network. The attacker would have access to legitimate enterprise credentials that would lead to loss of, or the ransom of, sensitive data.”
2. In the scheme of things, wearable security may not be a huge concern
Sign up for Computerworld eNewsletters.