BYOD is a thorny cybersecurity issue that organizations are still striving to manage, but there’s a new employee-driven risk that needs your attention: wearable devices.
In 2016, 137 million wearable devices were sold, and in 2021, nearly 300 million wearables are expected to be sold, according to research firm Gartner. Smartwatches account for about a quarter of this market, and by syncing with a smartphone, they can store a user’s emails, SMS, contacts, device-owner information, and calendars. With these capabilities, wearables can easily end up holding and transferring sensitive business-related information.
To assess their security posture, we examined an Android-powered smartwatch. In just 20 minutes or so, we were able to acquire a full image of the device, meaning we captured all of the data on it. We invite you to view our 30-minute TECH Talk on the effort, for more details.
Wearable devices have similar security risks to smartphones and fewer cybersecurity protections, representing a rising threat to an organizations’ cybersecurity. To raise awareness about this issue as we close out National Cybersecurity Awareness Month, I’ve outlined some key technical risk factors.
Like smartphones, wearables have a multi-layered, interdependent attack surface.
Network security, application security, mobile security, and physical security are all difficult to implement correctly on their own. Smartphones, and more sophisticated wearables, like smartwatches, involve all of these overlapping components. A weakness in any single area could render other correctly implemented controls ineffective.
Similar to smartphones, security risks stem from third-party apps—and the operating system.
On smartphones, as well as on wearables, it’s logical to pin security risks on the many third-party apps that users install. Each app processes user data and each has its own attack surface. But the risk doesn’t begin and end there. Host operating systems (OS) can generate their own risks independent of any user judgment. One way this happens is when a vulnerability in an OS is applied to a variety of different devices each with their own timetables for releasing system updates.
Sensitive data can transfer from phone to wearable, but security controls cannot.
By design, when a smartphone is paired with a wearable, it will sync data with the wearable device. On a smartwatch, for example, this data could be SMS, email, and calendar. However, once the data has been transferred to the device, the smartphone can no longer control how the information is processed and stored. Even when the smartphone is configured with security in mind, information now on the wearable could be at risk.
Wearables lack the same security functionalities of smartphones.
Smartwatches are smart, but not as smart as smartphones. On smartwatches, interactions between user and device are more limited, largely because of the screen size and the reality that the watch is not always connected via WiFi or a cellular data network. Therefore, most of the mobile device management solutions enterprises require employees to install on their phones cannot be applied to the watch. Similarly there is no remote wipe capability on smartwatches. Additionally, long passcodes for device access may actually prohibit use of the device because it’s hard to punch a lengthy password on such tiny buttons.
Wearables represent a new cybersecurity challenge for organizations to manage. It’s like BYOD 2.0, made more difficult by wearables’ more limited security capabilities and the fact that organizations may not even know if employees are using them. To begin to address this risk, organizations must consider how they can implement security controls and policies for this new endpoint in the enterprise.
 Wearables for this figure include smartwatches, head-mounted displays, body-worn cameras, wristbands, sports watches, and other fitness monitors. Number excludes Bluetooth devices.