What exactly are the so-called activity trackers, and what are the security risks to enterprise IT?
It can be more serious than you think. Activity trackers are often targeted by hackers in that they are vulnerable and vulnerable to passwords, easy to identify business habits of internal key internal functions, and function as entry points into other systems. Credit: Michael Simon / At one extreme of IDG security testing is AV-TEST. The research agency in Germany recently tested the security of the AppleWatch Series 3 with 12 fitness trackers. Of the total 13 devices, 8 received the top three stars. However, this evaluation of AV-TEST was based on personal security, not corporate security. Just like any device connected to the Internet, apps, or any other technology, Activity Tracker can not be 100% secure either. The Strava incident early this year showed how data generated and shared by Activity Tracker could be horribly exploited. Let’s take a look at 5 things that enterprise IT must know about Activity Tracker and its security. 1. fitness tracker, safety improved but dangerous products also exist
Compared to previous tests conducted by AV-TEST, device manufacturers are now accepting fitness data and customer data protection as much more serious and important. It is natural to see a recent data leak event.
This is the conclusion that AV-TEST researchers released their latest activity tracker security test results in May 2018. By 2016, the AV-TEST research team has found that tracker manufacturers often “do not pay enough attention to security aspects.”
AV-TEST’s 2018 study conducted external communication security, local communication security, app connectivity and data protection testing for each tracking device. Based on the test results, I was given one to three security scores.
The Apple Watch Series 3 earned a “three star” rating in all four test areas. This is very fortunate considering Apple’s sales volume. According to IDC’s market research data for the first quarter of 2018, Apple is now the clear winner of the worldwide wearable market. As a result, the number of Apple watch users is expected to increase.
According to IDC, Pittsburgh’s Charge 2, which is the third largest manufacturer of wearable equipment in the world today, was also highly valued by AV-TEST. PITTBIT is also a great manufacturer of wearable equipment that is widely used in corporate fitness programs. Enterprise Pitbit equipment is typically managed through the Fitbit Health Solutions platform.
In addition, six other manufacturers, including Huawei and Garmin, also received a three-star rating from AV-TEST. In the IDC list, Huawei ranked 4th in the world and Garmin ranked 5th.
Lenovo’s HW01 tracker, on the other hand, received only one star. China Xiaomi and Paula, and Move received two stars. However, companies outside of China will not find users wearing these devices. In the case of Xiaomi, IDC is listed as the world’s second-largest manufacturer, but most of the market is concentrated in China. Paula and Move have not been listed on the IDC list. Credit: The AV-TEST Institute 2. Hackers and Trackers Meta-data Hackers are not interested in how many steps a user has taken today, and how much their average heart rate is. Hackers use trackers to get a picture that is larger than the user’s activity pattern or activity.
This is especially true if the user is a key target of hackers,” said Ramon T. Lamas, director of mobile device and augmentation / virtual reality at IDC. “If you only get three pieces of information – the user’s momentum, exercise distance, and exercise time – you can find out when the user is not working, and that information will make the user the best target,” Ramas said. This can be seen from the recent Stravagene case.
In January 2018, the media reported a massive leak of GPS location information from US military personnel who linked Activity Tracker to the fitness network Intra. It was because of the Global Heatmap, which everyone could easily access if they had an Internet connection. It was an unpleasant incident for the US Department of Defense. Struva CEO James Quisse said Strava, along with a series of corrective efforts, “are working with the US Department of State and government agencies to process sensitive data.”
Activity Tracker, a trivial one, is a good prey.
“Among the IT security issues, activity tracker security is a low priority, especially compared to other items such as password database outbreaks,” said Forrester security and risk analyst Merritt Maxim. “But the list of hackers’ priorities can be different from what we think, sometimes hackers pay attention to items that corporate IT does not pay attention to, because they are easy targets.”
For example, a few years ago, corporate call centers were treated as not very secure. Then hackers began using social engineering and other strategies to extract corporate customer information from call center employees. Especially outside of the US. After several incidents, call centers have become the top of the list of corporate IT security priorities, Maxim said.
- The Stolen SmartWatch, The Biggest Problem
SmartWatch continues to evolve, with dedicated devices for fitness tracking losing ground. IDC said that in the first quarter of 2018, smart-watch sales for Apple, Pitbit, and other manufacturers increased 28.4 percent while basic wearable sales decreased 9.2 percent.
While the initial SmartWatch was limited to connecting via Bluetooth, current models are connected to smartphone apps via Wi-Fi. This Wi-Fi connectivity gives hackers greater freedom to access user information, such as email, via SmartWatch. “If you have a SmartWatch mobile connection, you can connect to it online without having to be in range of Bluetooth,” said Chet Bysnewski, senior research scientist at Sophos.
Of course, most people do not have to worry about this scenario, which is reminiscent of a spy movie. “The problem is in a high-profile company with access to sensitive information, and if their SmartWatch is stolen, they should be told that their access to this information is also stolen,” said Visnewski. If you lose your smart watch, you should report it immediately. ”
This allows you to remotely deauthorize the Smart Watch in question. For example, Apple offers an Activation Lock feature, which is enabled by default in Apple Watch with WiFi turned on.
“If the SmartWatch connected to WiFi is lost or stolen, you can also use the Mobile Device Management (MDM) system to ensure secure data transfer between the smart watch and the business, just like data transfer between smartphones and tablets. Of course, MDM should also be kept up to date. ”
- Smart Watch does not pose additional risk
Vishnevski said, “Even if you do not use SmartWatch, your smartphone will always carry you.” Smartphones continue to track users’ locations and share data with mobile device manufacturers and software companies, as well as four major telecommunications operators in the United States. In June of 2018, it became clear that US wireless carriers were sharing their location data with third parties.
Users are already paying close to a million won and willing to carry their own devices to track their location. The collected location information of the user is entered into all kinds of companies. In retrospect, smart watches have not created unprecedented new risks.
“Eventually, what corporate IT needs to do is explain the potential risks and explain the clear steps and procedures to mitigate those risks,” Visnewski said. Identify the users most at risk for hackers to target and help them to pay more attention to security.
Of course, you may be advised not to wear a smart watch or activity tracking device at all. But there are not many who will follow these instructions faithfully. “It does not make much sense for users to tell them what to do or not,” Vishnevski said. Especially if the device in question is a smart watch that is often used for business as well as for personal use. “I have to admit that there is no other way around this part,” he said.