The Security Implications of Wearables, Part 2
In the previous post, we talked about the definition and categories of wearables. We will now focus our attention at possible attacks for such devices.
The possibility of attacks varies largely, depending on the broad category we are focusing on. The probability of attack will increase depending on where the attack can take place. Conversely, the possibilities of physical damage are much more remote as you go further from the physical device. As the attack moves further away from the device, the focus shifts towards stealing the data.
Low User Risk, High Feasibility Attacks
These attacks are the easiest to pull off but they have the most limited application against the user. In this scenario, the attacker compromises the cloud provider and is able to access the data stored there.
Figure 1. Hackers are accessing the cloud provider to get the data
User accounts are usually protected by single authentication factor, often times, by passwords. Attackers will attempt to access cloud data by employing tactics such as utilizing the provider’s “forgot your password” mechanisms, using a keylogging Trojan, guessing the password based on data from the user’s other breached accounts, or using a brute-force attack.
Once the account has been accessed, the attacker can see the data coming from the wearable devices and use it to create a better profile of the user in order to target them with specific spam campaigns. This is not a new thing: when the Bitcoin exchange site MtGox experienced a data breach in 2011, its users were targeted with financial service spam. Being Bitcoin users, the spammers assumed that the users would respond more to financial-related scams rather than, say, weight-loss products.
Attackers for this type of scenario are cybercriminals with the ability to create malware and whose main sources of profit come from spam/advertising campaigns. Hackers specializing in data breaches may also employ this attack as they can later sell the stolen information to others for monetization.
Medium User Risk, Medium Feasibility Attacks
These attacks are more dangerous, easier to pull off, but with more limited impact on the user. In this scenario, an attacker can compromise the intermediate device and capture the raw data. The attack can also act as a man-in-the-middle between the network and the physical device to alter the data coming from the Internet or the network.
The easiest way to accomplish this is by installing a Trojanized copy of the mobile app used by the hardware vendor. Nowadays, there are plenty of ways of installing rogue apps in Android mobile devices. Most attackers utilize third party app stores to do this.
This attacker would look to gather a more complete profile of the victim in order to install malware that is more suitable for the particular victim. For example, a malware attack can start by looking for the Google Glass app and using it to determine the user’s current location at all moments. The malware will then download a new malicious app that performs click fraud based on that user’s location.
Another example would be an app that looks for ‘IN’ wearable devices and use them to determine the health level of the user (sporty, struggling, etc.). This information could then be used to hijack ads and change them to ads more “appropriate” to the user (i.e., local gyms, protein drinks or diet pills, based on the stolen health data).
Figure 2. Targeted ads based on information gathered from wearables
Another possible scenario would be for the malware to detect messages about to be displayed on the user’s Google Glass and replace them with ads, spam, or other arbitrary content.
Hackers can also obtain and use the victim’s location to target them with ads or spam based on their current location. It’s interesting to note that hackers may have different approaches to getting the location of the user. If the hacker needs historical data (past locations), a malicious app may attempt to circumvent the phone’s permissions system (as location data isn’t accessible to all apps). An easier way to get the location data is to obtain it from the wearable device. However, the device may not contain historical data; often, it only keeps track of the current location.
The attacker in these scenarios would be someone who makes money from spam/advertising campaigns and perhaps click fraud. These attacks can be done massively without any specific targets.
The next blog entry will tackle the third type of attack and another possible attack vector.
For more information about wearables, you may check out the article “Are You Ready for Wearables?” and the infographic, “The Ins and Outs of Wearable Devices.” For more information about smart devices, you may visit our Internet of Everything hub.