Wearables, security and why you're suddenly the one to blame for bringing down the company

Profile picture for user mbanks By Martin Banks August 26, 2015
Security used to be just about keeping virii out of corporate systems so data stayed sacrosanct, but the arrival of wearables and IoT – and the potential for exploitation of both in tandem – is about to raise the security stakes alarmingly

Useful or dangerous?

It is Thursday. You turn up at work and place your hand on the palm print recognition plate, stare closely at the retina pattern recognition device and then step back so the full facial element distribution analyser can scan you. Then, after swiping your right index fingerprint and speaking your own pass-phrase to the voice recognition system – and because it is Thursday say it backwards as required – you are allowed into the building.

Four hours later, the production facilities indicate that huge quantities of that poisonous, highly volatile and potentially very unstable chemical the company is famous for are trapped in the production system, starting to become unstable, and the production system is not responding to commands from the control room.

Five minutes pass and the CEO gets an email – on his very private 'not-even-his-wife-knows-this-one-better-check-it-now' email address – offering to reset the production facility to normal in return for the payment into a Swiss bank account of `1’ followed by an astronomical number of zeros in dollars.

You hear office gossip that afternoon suggesting that the production system has gone haywire and think to yourself: 'Glad I only work in sales administration and not production, at least this cock-up is not down to me'.

Quite by chance, however, it is down to you…….all of it.

So starts the opening chapter of a potboiler bought to read on the train ride to work, or even perhaps the fully automated, self-driving car share that takes you and Fred from the next street to work every day. All the technology to do this exists right now.

Even though I am not normally one of the hyper-security scaremongers that over-hype every possible aspect of the subject, I do find myself wondering whether the gizmo-freakers of the IT business, and especially those in the consumer market looking to create this year’s must-be-seen-with techno-toy, are having fun thinking they can run before they have learned to walk properly.

You are what you wear

What started this line of thought off was this piece on wearables by Charlie Bess. As he points out, wearable technology is going to be big, and popular and, perhaps most important of all, the thing to be seen wearing. Bess notes:

The wearables category includes smart watches as well as connected eye wear, gesture-controlled devices… essentially the personal edge of the Internet of Things. Wearables will become 17% of the devices sold in 2020 according to Tractica and Juniper Research believes that the wearable market will grow to $80 billion by 2020, so this is a significant wave headed into nearly every business.

There is also a huge potential for businesses to positively exploit wearables. They can use them to inform staff of any number of developments – from process alarms to what is the special in the staff canteen, or locate them – even warn them that they are in some danger. As is often said in such circumstances, the number of applications is only limited by human imagination.

As Bess points out, there is also a downside, with the primary one being the risk of valuable enterprise data being purloined. There is also another that occurs to me – the capability for some wearable technology to be `adjusted’ at some stage to become a carrier of malicious code.

And what better way to break into a secure site than to travel as a passive passenger on a wearable device on a person going through the normal security processes for entry, staying passive while that person logs on and starts work and then – for example, once standard WiFi transactions between their PC or laptop and the company network are detected – become active in trying to find a way to infiltrate the enterprise system.

Now add in two simple, fashion-related factors: one is that many of these gizmos will fall into that in-crowd/out-crowd `must-be-seen-wearing’ category. This can be seen everywhere with the Apple watch, for example. The other is that the former always provokes the arrival of the cheap copy, often found on street market barrows and online scam websites.

It does not take too much imagination to wonder if the more organised cybercriminals will seize this opportunity to move in on that business to get people to pay to wear devices that are pre-loaded with malicious code? The unit price would be peanuts, and they would still make money from the 99%+ that are just worn and never go near any suitable access point. And from the 0.1% that do strike pay dirt the results could be `spectacular’.

What is more, it may well turn out that snaffling some enterprise data will be small bear for the cybercriminals. There is a need to think more of fanciful, Bond vs SMERSH scenarios.

Are you in control of this vehicle, sir?

As a recent story in Wired shows, the risk is growing that the true answer maybe `God alone knows the answer to that one, officer - or maybe it was some hackers!'.

This is the one about Charlie Miller and Chris Valasek, who found a way of snatching control of a Jeep Cherokee SUV from the driver. The story has been seen as so scary that the US Senate is set to vote on protective legislation. Senators Ed Markey and Richard Blumenthal have set in train the introduction an automotive security bill.

The two hackers have, perhaps fortunately, been sharing their research with Jeep makers, Chrysler, but the basis of what is possible is fairly straight forward. Chrysler vehicles have, for the past few years, been fitted with Uconnect, an Internet-connected computer-controlled entertainment system. It also handles phone calls and guess what – it even offers a WiFi hot spot.

It also has a vulnerability the hackers discovered in its cellular connection that opens the system up to anyone who knows the vehicle’s IP address. I can imagine the designers are not alone in having thought, 'Who’d want to get into this system, anyway?’. There are probably thousands of similar systems, in millions of cars, where the designers have never considered the possibility that a way into their products has been inadvertently designed in, let alone what might then be possible once access is gained.

After all, though most car makers will suggest their vehicles are now mobile entertainment centres, they are in fact complex, self-contained Internet of Things environments on wheels which, if the likes of Google et al get their way, will become self-driving, fully automated, `Uber-managed’ transport utilities.

That could also be translated to `the safest thing ever invented’ or 'high-velocity projectile’, depending on the level and effectiveness of the security provided.

Swap 'vehicle' for 'factory'

If vehicles can be compromised quite so easily – not least because defending them is likely to be a more complex task than just preventing a virus or Trojan gaining access – imagine what the issues will be on IoT installations of significantly larger size and complexity.

The hierarchical architecture that is likely to be applied to most complex IoT environments may have some part to play in isolating the potential impact of some attacks, but so long as the attacker has found a way into the system, it will probably be possible to then infiltrate all areas of the network considered `productive’ by the cybercriminals, as demonstrated by the Stuxnet worm some five years ago.

This is where wearable technology could be a particularly versatile carrier of virii, trojans and other malicious forms of attack as yet uninvented. And because the possibility exists that they might hide passively and undetected until the right moment arrives, defending against them may be difficult.

This may be compounded by the fact that many businesses feel it appropriate to provide certain staff with clothing suited to the type of work. So what might be easier for the suitably malicious than to participate in the provision of such clothing or material? It might be easy to then engineer devices that share out the infiltration or delivery of an attack, something particularly suited to that opening storyline about a potentially dangerous production process.

And, bottom line, the issues of security in both wearables and IoT systems are complex for each sector individually, not least because both are still new, and still in the early rush of development where the `this might work’ spirit of product development often overruns the tempering effect of `and what might the consequences be?’.

Put them together, however, and the potential for complex security attacks from new, as yet unimagined vectors has to be running high.

My take

The pace of product development is unlikely to slow, and the way that the technology can be applied is, if anything, likely to grow. But while all the above may seem fanciful, the fact that new applications are not just identified but put into service without real consideration of the security implications is now becoming dangerous. After all, we are no longer looking at businesses losing a bit of data, this is about people losing lives.