Spy game: Did you just strap a secret listening device to your wrist?
Attackers may soon be eyeing your smartwatch as a way to get into your business and your bank account, cybersecurity experts say.
That new smartwatch helps you count your steps, and you can even use it to call home during lunch.
But for some, it’s the same as a spy tool, strapped to your wrist and ready to siphon information.
Some Australian schools have banned smartwatches during exams. China reportedly ordered soldiers to take them off—permanently. And now cybersecurity experts are warning that wearable tech like these could be just the ticket an attacker needs to eavesdrop on your info and steal the goods.
If a hacker were able to install malicious code on a wearable device with a microphone or camera, they could carry out secret surveillance, said Lawrence Abrams with BleepingComputer.
“Then that device could then be used to transmit private information such as what the person is seeing, or conversations they may be having,” he said.
“For example, if a CEO of a large company was wearing a wearable that contained a microphone, then a successful attacker may be able to listen in to sensitive corporate meetings,” Abrams added. “This could then be used for corporate espionage or ransoming of the stolen information.”
“For those who are wearing glasses with a camera, then sensitive pictures or videos could also be ransomed,” he explained.
Google Glass image by Mikepanhu via Wikimedia Commons.
Who wants to spy on me?
‘I don’t do anything too exciting,’ you may say. ’No one would want to spy on me.’
But attackers are already trying to invade your world in a digital way every day. They use phishing e-mails and text messages to get your passwords, trick you out of your money, and install malware on your computer or phone. The smartwatch or other wearable device may just offer a new way to do it.
The bad guys may try to sell you a device with a secret connection already installed, like a $17 smartwatch sold on eBay that quietly communicates with China, according to a security researcher.
Data gathered by some fitness trackers.
Hacking your band
One researcher was able to secretly connect to dozens of fitness bands and even make them vibrate.
“The fraudster could take control of your wristband, make it vibrate constantly and demand money to make it stop,” said Roman Unuchek with Kaspersky Lab.
“Just imagine—if a wristband with the pulse sensor is hacked, store owners could look at your pulse rate while you are looking at the prices in the store,” he wrote in a post. “It might also become possible to find out how people react to advertising. Moreover, a hacked wearable with pulse sensor could be used as a lie detector.”
Unuchek was able to steal data, but not much more than how many steps the owners had taken.
“However, in the future, when next-generation fitness bands capable of collecting a greater volume of more varied data appear on the market, the risk of sensitive medical data about the owner leaking out could raise significantly,” Kaspersky Lab said in an announcement about Unuchek’s research.
The coffee shop scenario
Like a lurker waiting for you to leave your wallet behind, a wearable “mugger” might hang out in a public place to see who is the most careless or vulnerable.
“I could see the coffee shop scenario playing out with an attacker launching Bluetooth attacks against various customers or conducting reconnaissance,” said Marc Blackmer, founder of the non-profit cybersecurity education program 1NTERRUPT.
Or, like a stalker, the crook could hone in on one person—and one smartwatch.
“I can also imagine a scenario where wearables would be an attractive attack vector when an individual is specifically targeted,” Blackmer said.
Smartwatch at coffee shop.
For now, these attacks may be more theory than practice. You may end up enjoying your wearable without experiencing any cybercrime, ever.
Currently, the people reported to be using wearables as spy tools are the spies themselves, not their victims, like cheating students recording test questions with their smartwatches and smart glasses.
Still, white hat researchers are uncovering new possible attacks with regularity. They discovered a way to figure out your ATM PIN, using your smart watch to track your hand movements. They found they could learn your username and password by following your hand movements on your keyboard.
Experts are urging wearable makers to pay attention to security.
“Perhaps in the near future they will contain more sensors and hence much more user information, often medical data,” Unuchek said about fitness trackers. “However the creators of these devices seem to think very little about their safety.”
Plug the security holes, and cyber crooks may lose the opportunity to turn the wearable tech trend into their own wave of digital crime.