Skip to main content Skip to Footer

February 19, 2015
How to Protect Your Wearables Implementation from Cyber-Security Threats (Part 2)
By: Brent Blum

It can happen in any industry—and any enterprise. As wearables become more commonly used in the workplace, intellectual property and proprietary information could be exposed. According to one source, 85 percent of the public sector is unprepared for the impact of wearable technology on its IT infrastructure.1

Consider this scenario: An oil and gas service technician wearing smart glasses is logged in and reviewing confidential documents. If a hacker intercepts the feed and exploits the video functionality on the wearable display, the worker could unknowingly render access to specs, processes or passwords. This could lead to the theft of user identification, passwords and/or intellectual property.

Enterprise content could be altered by the hacker in the same way. The technician could be presented incorrect codes, passwords and procedures, essentially affecting the employee’s behavior without his knowledge and enabling the system to feed data directly to the rogue third-party.

To avoid these kinds of situations, we urge organizations to prepare for the security implications of a wearable technology deployment.

Four ways to secure wearables
At a minimum, companies should expand corporate security measures to cover wearables usage in their infrastructure—from the network to the device. While wearables security has some similarities to mobile phones, there are some key differences across layers and levels of security, as well as types of threats or attacks (see Figure 1).

To get started, we recommend evaluating how the wearable will be used by hands-free workers and what type of data will be presented. Based on the business problem the device will be used to solve, determine the associated risks while also assessing current network security, IT security and privacy protection plans.


Wearables security is…
Similar to mobile phones
Different from mobile phones
Layers of security

Mobile device layers of security will include the physical device, applications on the device and the device network. Within the layers security considerations may include password policies, role based enrollment/access control and network visibility.

Mobile device management solution will need to support remote wipe, locking and encryption of wearable devices—ad-hoc and based on geofences.

Varying form factors will need to be supported. Based on the devices that will be used, apply a solution that will allow secure authentication and encryption for those devices.

Biometric data is more common on wearable devices. Encrypting all data transmissions from the device can protect against eavesdropping (a more targeted attack).

Levels of security

User clearance level and file classification (i.e., top secret, secret, classified, unclassified) need to be granted. Based on the clearance level of the user, the system will grant access to only the files needed to successfully perform their role.

Two-factor authentication may not be feasible on some wearable devices. Consider restricting access to top secret files from wearables.

Types of threats/attacks

Malicious applications may be installed unbeknownst to the user and used for targeted attacks (i.e., Spyphones – for eavesdropping, location tracking, email access)

Increased Bluetooth data transmission when discoverable may be an easy target. Consider setting visibility to “not discoverable” when not in use and use a security code/pin for device pairing.


Figure 1: Companies can secure their wearables using some of the same principles as mobile phones; however, they will need to use additional measures to secure the unique capabilities that wearables offer.

As we discussed in our previous post on this topic, it is important to secure wearables across four main areas. Here are some ways to approach using fundamental security principles:

  • Data leaks - To protect against data leaks via wearables, follow foundational principles for access control. Use modes such as mandatory access control (MAC) or role-based access control (RBAC), and implement the rule of least privilege to ensure employees cannot easily obtain access to the entire system. Apply security models like Bell-LaPadula and Biba, which limit read and write capabilities of the employee. If unauthorized users gain access to data through the wearable, they will be restricted to the access level of the user account that has been infected. The moment any employees attempt to access information they do not need to perform their jobs, it will trigger a red flag for investigation.

    Some wearable devices offer an added level of security, which enterprises can use to reduce the likelihood of data interception resulting in a data leak. One example is the Nymi bracelet, a wearable authentication device that uses electrocardiogram rhythm to validate identity using three-factor authentication.2 The Nymi cannot work without the combination of the unique heart rhythm of the worker, the wristband and a secured application on a registered smartphone. This device enables seamless access to buildings, systems and applications, which could be ideal for employees who need to enter high-security areas or have authorization to view proprietary digital files.

  • Network security – To reduce network security risk, physical as well as technical controls are important. Preventing noninvasive attacks like timing analysis or electromagnetic analysis may be as simple as updating wiring inside corporate buildings to fiber cabling. Since copper wires emanate signals, hackers can analyze the timing of information transmissions or the levels of frequencies emitted, allowing them to decipher key lengths and potentially crack encryption algorithms. In addition, wearable devices accessing the network should require authentication, authorization and accountability. And the content accessed by wearable devices over the network should adhere to all administrative security policies and procedures.

  • Personally identifiable information (PII) – PII can be protected through measures taken to secure access on wearable devices. However, the healthcare industry must take extra measures due to HIPAA and the HITECH Act, both of which specifically protect electronically available patient information. When storing PII, consider scrubbing the information and only maintaining what is absolutely needed. Another option is to remove enough information to ensure that the data cannot be associated with an individual. Wearable device access to PII should also be severely limited and require additional authentication. Encrypting the information during transmission may reduce PII-related threats. Finally, PII should have levels of classification from unrestricted to top secret, which determines when access is granted based on levels of clearance as well as rules.

  • Government-imposed violations of privacy – Companies must maintain compliance with HIPAA, PCI DSS, ISO and other regulations for all devices, including wearables. To help reduce the risk of audit violations, consider installing extra safeguards, including file encryption, data encryption, key management and more. For instance to comply with PCI DSS, an enterprise could implement a separate network with a dedicated Internet connection for transaction processing systems. Wearables should not be able to access or connect to this network unless it is being utilized for transaction purposes. To comply with HIPAA, data encryption will be vital. Wearables should have strong encryption of payment and billing information, lab data, case files, etc.

In all cases, companies can help assuage security concerns by training the employees who will use the wearables to complete their day-to-day activities. Helping them understand what constitutes acceptable usage and what precautions to take when using the devices is essential. Enterprises may also wish to outline disciplinary measures to help reduce the risk of inappropriate security behavior with wearables.

To make sure your company is 100 percent ready for wearable technologies, it’s important to fully outline how employees will use these unique mobile devices. Consider potential threats, follow fundamental security principles and develop a comprehensive security roadmap for enterprise usage. Taking these steps will lead to better acceptance and secured use of wearables, which will help maximize the benefits of the wearables implementation to foster innovation, drive growth and increase profitability.

For more information, contact brent.r.blum@accenture.com or karla.a.clarke@accenture.com.

Sources

1. Rossi, B. (2014). 85% of the public sector is unprepared for the impact of wearable technology on its IT infrastructure. Information Age. Retrieved October 7, 2014.
2. https://www.nymi.com/

More blogs on this topic

    Archive

      Industry & topics highlighted

      Technology