The next BYOD security challenge: Wearables

Brid-Aine Parnell

Friday 21 July 2017

Whether it’s enterprise products like head-mounted displays or consumer products like fitness monitoring devices, wearables are invading the workplace – and most of them have little to no security.

As if enterprise IT departments didn’t already have enough bring-your-own-device (BYOD) challenges to worry about, there’s a new game in town: wearables.

Whether you’re talking about enterprise wearables such as head-mounted displays, which help warehouse workers read barcodes and identify packages for shipment, or consumer wearables like fitness monitoring devices, wearables are making their way into the workplace.

Many of these devices are designed to be unobtrusive and become part of what we unthinkingly use every day. Unfortunately, they are also designed to connect with available networks automatically and frequently have little to no in-built security.

IoT malware

Last year, the headline-grabbing Mirai malware showed how limited-security devices could be used in cyberattacks. The malware works by continuously scanning for internet of things (IoT) devices – routers, coffee makers, smart glasses, fitness trackers, etc. – that are accessible over the internet and still set to the factory default username and password. Once it finds one, it can then infect it and force it to report to a central control server, making it into a bot that can be used in a distributed denial-of-service (DDoS) attack.

An analysis by security firm Symantec shows that IoT device usernames and passwords are frequently kept on factory default by users, leaving a backdoor into any network they connect to wide open. On top of that, many wearables store data on the device without any encryption, risking personal data falling into the wrong hands that could then be used in a brute-force attack on more sensitive parts of a business network.

IT departments need to watch the wearables

Enterprise IT staff need to treat wearables in the workplace just the same as they would any other BYOD device, from smartphones to laptops. At present, whether these devices will self-regulate for security risks or become subject to government regulations is still an open question, so they should flag in the company-wide system as relatively untrustworthy devices.

If a company is handing out enterprise wearables for use at work or fitness trackers as part of a motivational project aimed at staff health and wellbeing, then the IT department should be part of the decision-making process on which devices are chosen and how they are secured.

As these devices have their own applications and operating systems, they must be patched and kept up to date on software and firmware to avoid vulnerabilities, just as smartphones and tablets are. Companies may also wish to restrict users to known and trusted applications.

Guarding the network

When it comes to the BYOD wearables, however, the IT department needs to guard the network more than the devices themselves. Because of the huge range of wearables and their various operating systems, it would be impossible for a company to stay on top of the security of each device that comes close to the network.

Instead, the network needs to be monitored for unusual activity. If an IP address that usually uploads miniscule amounts of data (like the number of steps taken) suddenly surges its data load, that should set off alarms.

In time, regulation and security protocols will catch up with the wearable world along with the IoT, just as smartphone security has improved with user growth. But for now, companies need to recognise the threats as well as the benefits.

YOU MIGHT ALSO LIKE

Building the next-gen data centre

Where traditional and web-scale apps co-exist