Smartwatches and corporate data
I was super excited when my wife got me a smartwatch. In addition to the geeky coolness factor of a smartwatch, being a long-time security professional I was also interested in the security implications in a BYOD or corporate issued device scenario. Would this allow a new way for users to access corporate data? Is it possible to block these devices? And what other implications had I not considered?
The Apple Watch will be available soon. And other smartwatches are beginning to proliferate across the enterprise as users are predominately purchasing these in a Bring your own Smart Watch scenario. Some smartwatches work on the cellular network, but most are bluetooth-based. It was clear to me from the beginning that despite the coolness, threats to corporate data and PII (Personally Identifiable Information) could stem from using the device, but I was unclear to what extent.
I was less interested in the health Apps and more interested in reading text messages and email on my device, as well as obtaining notifications from my favorite Apps such as Untappd. In my test lab I paired my device with my Android smartphone by installing the necessary smartwatch management and “pairing” App and proceeded to pair my smartwatch to my smartphone via bluetooth.
Once I setup notifications for my preferred Apps and setup access to my Email accounts, I proceeded with my testing. I began with corporate email. I determined that I was able to accept corporate email on my device. In addition to syncing Email, I unknowingly synced my corporate calendar as well and could read calendar events and their details. Additionally, if the email contained an attachment with a picture, I could view and save that on the device as well. This obviously represented a threat to enterprise data, and of course PII (email addresses, email, contacts, and more-¦), especially if my smartwatch was ever lost or stolen.
As a security professional, I then investigated the ways in which I could protect both my personal data and corporate data. I determined that it was possible to setup some security and privacy options on the smartwatch. On mine there was a Device PIN that you could enable which allowed a 4-digit or larger PIN.
Additionally, there’s an interesting option where the smartwatch will lock when out of range to communicate over bluetooth to the smartphone or tablet. But unlike a normal mobile device PIN, there’s no time-based lockout (typically 15 minutes of inactivity). And if a determined attacker wanted access to the data, I determined that the PIN does not protect USB debug access. I was able to access the CLI with no password. From there I could access a variety of directories and files that included application database files. Although it should be noted that root level access was not allowed, and some database files were found to be encrypted. What concerned me was the lack of uniformity and unauthenticated access to the device itself.
So what proactive and reactive controls exist to allow an EMM (Enterprise Mobility Management) or MDM Administrator to control smartwatch usage on their managed mobile devices? Let’s break these down:
- Disable Bluetooth altogether on the mobile devices (not practical)
- Disable Bluetooth data on devices and limit bluetooth to voice-only (might be acceptable for corporate issued devices, but not BYOD)
- Manually Blacklist or use an App Reputation Service to disallow known mobile device smartwatch Apps, and use the Quarantine to Selectively Wipe corporate data and/or block the device’s access to the corporate network.