Now that the Internet of Things is all the rage, I wanted to take a look at a trend in IoT that I find particularly exciting and that’s wearable devices. In theory, wearables could present us with a paradigm shift in the manner in which users interact with technology, moving us away from the old mouse and keyboard combo, and possibly even the touchscreen. For now, we are not quite there and science fiction superlatives are premature. At this time, wearables are in simplest terms appendages of our mobile phones. They’re meant to more conveniently convey notifications, collect heartbeat measurements, and throw an alternate camera angle into the selfie-filled mix. Though wearables are still in their infancy, rising adoption highlights the need for a discussion about the concerns that could accompany these new technologies. Let’s attempt to carry out this discussion in two modes: current privacy issues and future overall security concerns.
With Creepy Enthusiasm
Sadly technology isn’t always used in the benevolently child-like way we intend; gone are the days of look-what-I-can-do wonderment.
Instead, we see users adapting technologies old and new to satisfy base desires. A recent twitter-storm documented by Gawker showed just that, as a Chinese Glass Explorer was found using his new device to upload unsolicited pictures of women in public places to his twitter account. His actions fit into a reprehensible internet subculture of fetishizing ‘creepshots‘ that has caused great uproar. Unfortunately, the principal design tenets of wearables have the unintended corollary of making perfect devices for this community of perverts.
With an unassuming device and a nearly undetectable camera, a wearable can be used as a predatory tool for violating the privacy of unsuspecting bystanders. During our Latin American Security Analysts Summit, Roberto Martinez and I took up the mantle of predatory wearable users, taking candid pictures of our guests to display during our presentation. I’m disappointed to say it was incredibly easy to get away with. In the case of Roberto’s Glass, the wink feature (which allows the user to take a picture by simply winking in the direction of the target) was indispensable to our experiment. In my case, I had a Galaxy Gear 2 which Samsung had cautiously programmed to accompany pictures with a loud noise in order to alert nearby targets.
However, creepers will not be easily deterred! And a solution was swiftly proffered in the form of rooting and a handful of commands. Most people are familiar with the notion of rooting or jailbreaking a device these days. It is often touted as a means of retaking control of your device, away from the clutches of evil limiting corporations! In the case of the Gear 2, the uses of rooting are anything but benevolent. Rather than unleashing homebrew development creativity, the sole use of rooting the Gear 2 that I’ve been able to spot is to disable the moderately loud sound the device emits to notify passersby that they are in fact being photographed.
On more specific terms, the process includes the use of a leaked internal Samsung tool called ODIN in order to flash an alternate ROM onto the device that comes with root privileges enabled. Root privileges are not required in order to install applications themselves but will be necessary in order to mount the otherwise inaccessible filesystem. Once mounted, the creeper needs only zero-in on the folders that contain the camera notification sound files and move them elsewhere for safe-keeping. Thus, when a picture is being taken, the camera application will look for these files in vain and continue to take the picture sans shutter sound. Since the camera is quite discreetly placed, lacks a flash, and shows no other outward indication that a picture is being taken, this sound is a crucial privacy feature in the device’s design.
With the Tizen Smart Developer Bridge (reminiscent of the Android Developer Bridge) in hand, semi-proficient users can also sideload applications in wgt format onto the device. In the case of video recordings, an altered camera app can be sideloaded that includes a single modified line within the package thus eliminating the pre-imposed limitation on video recording from a few seconds to as much as the cramped storage will allow. These two modifications allow a perverted user to turn the otherwise benevolent smartwatch into a rather creepy device.
The Less-Scrutinized Link in the Mobile Security Chain
An interesting implication arises from being able to sideload modified applications onto the device with such ease. Though Tizen applications are meant to go through a rigorous testing process, this process occurs on the side of the controlling device – in this case, the Galaxy S5 loaded with the Gear Manager app paired to the smartwatch. When an application is installed on the device through the Gear Manager app via bluetooth, there are no indications or notifications on the smartwatch that a new application has been installed. This goes to stress the perils of the simplified interfaces on most wearable devices and thus the importance of maintaining the integrity of the controlling mobile device. With Android being a primary target for mobile attackers, rising consumer interest in wearables is bound to be met by rising attacker interest in these devices as well, which brings us to the prospective side of our discussion…
Laymen cybercriminals are not the only one’s interested in our devices. Sophisticated actors have a distinct interest in infecting mobile devices as these become the gateway for intimate information about individual targets not commonly found on corporate networks. Though I would in no way claim that wearables are being targeted by these actors at this time, there is a twofold appeal presented by wearables that make them a likely future target if widely adopted by consumers:
- Firstly, the information wearables devices gather is going to attract new corporate players to the cyberespionage scene. If wearables are adopted by a large enough crowd, insurance companies interested in tweaking and improving their risk mitigation formulae will be jonesing to get their hands on the aggregated vital signs and unadulterated exercise details of their clients. This information could translate into real money for these companies and that sort of financial incentive is often enough to encourage less than ethical means of information gathering.
- Secondly, we need to be wary and adopt a holistic approach towards the security of a chain of devices paired for data sharing. When it comes to a home or office network, securing endpoints isn’t enough. Any device on the network, even if it’s a printer or a seemingly harmless network storage device, can represent an entry point or means of persistence for an attacker. The same occurs with mobile devices and their less sophisticated accessories.
In an espionage campaign, breaching the security of a mobile device is only the beginning. Oftentimes, valuable information will become available with long-term access to the device as the unsuspecting target goes on about their everyday dealings. Given that security solutions are already deployed on mobile platforms, less sophisticated appendages such as wearables connected to mobile devices could become particularly interesting to advanced threat actors looking for a means of persistence with a lower probability of detection. In this case, resilience and discreet execution are gold standards, and what is more discreet than operating within a device whose simplified interface and inaccessible filesystem essentially insure that the breach will never be detected by even the most competent users?