sign in sign up
<<
Home , Mobile device, Samsung Gear 2, Smartwatch

MobileIron Analysis of Security Risks to Enterprise Data

v 1.2

MKT-9170 | © 2015 MobileIron, Inc.

1 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data Executive Summary Consumers are purchasing to pair with downloaded and cached content, phone hardware their mobile devices to track information, but information, and more. This particular pairing app also to access corporate email, calendar, contacts, and was downloaded outside of the Play store corporate apps. This can present a risk to enterprise and any potential risks present remind us of the data leading to possible data loss, but to what extent? importance of enforcing the curated apps within Google Play. For most organizations, smartwatch security became a priority with the release of the Apple in April One of the most important aspects discovered during 2015. MobileIron had been analyzing smartwatch the research is the difference in passcode protections security risks prior to the release as of smartwatches when compared to mobile devices. demonstrated by the vulnerability identified and Most people are familiar with setting a reported to for the 2 Neo back PIN or passcode as a fundamental security best in March 2015. Samsung was very responsive in issuing practice to avoid data loss in a lost or stolen scenario. a update to disable this feature. Once the passcode is set, a time-based policy on the device locks the device, say after 15 minutes of MobileIron’s Security Research Team analyzed the non-use. Smartwatches use the passcode in a much myriad of various smartwatches to identify the risks to different way. They commonly use a proximity- enterprise data by pairing them with a mobile device based approach to protecting the smartwatch. The that is connected to enterprise resources, such as email passcode protection is enabled when the smartwatch or calendars. The team researched smartwatches that loses connectivity to the mobile device (typically can be paired with Android and iOS devices. Some ), for example, if it was stolen. Furthermore, smatchwatches can pair with both the Android and the Apple Watch uses sensors to determine if it’s on iOS platforms. A pairing app is required for all of the the user’s wrist and enables the passcode protection smartwatches tested. when the sensor detects that it has been removed. In all of the smartwatches tested, the passcode was The team analyzed the Apple Watch, an option. The Apple Watch was the only one that Mobility Moto 360, Neo, and prompted for a passcode during setup. Shenzhen Qini U8 to ensure that a nice cross-section of smartwatches was analyzed. Each of these devices What follows is a detailed analysis of four represents a different wearable . smartwatches, followed by a summary and best Additionally, the MobileIron Security Research practices guidance at the end of the whitepaper. Team analyzed the pairing apps installed on the mobile devices. While most pairing apps were benign, the whitepaper outlines a less common Chinese-manufactured smartwatch that presented some suspicious behaviors. This could pose a risk to personally identifiable information such as access to

2 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data Samsung Gear 2 Neo One smartwatch that was analyzed was the Samsung Gear 2 Neo. This smartwatch can sync with an Android-based with the Samsung Gear pairing app. From there the user can pick and choose what apps to receive notifications from, as well as sync email, calendar, contacts, make calls, and sync and respond to SMS messages. Furthermore, attachments such as photos can be downloaded and saved on the smartwatch. When pairing the Gear 2 Neo with a corporate managed smartphone, the user can sync corporate email to the smartwatch. In this scenario, enterprise data is present on the smartwatch, so the data is potentially vulnerable to any risks to the watch itself. This was the genesis behind our research.

The Samsung Gear 2 Neo provides an option for passcode protection, which is disabled by default and does not prompt the user to set it. This means that if the smartwatch was lost or stolen, an attacker would have full access to the data on the device. But if the user is security-minded they can find the PIN option under Settings on the smartwatch and can set a passcode, which only accepts numbers. It’s important to note that, as with many other smartwatches, the passcode protection is not time-based like a smartphone, but proximity-based. This means that as long as the smartwatch is paired with the smartphone, the passcode protection is disabled. Only when the smartwatch becomes unpaired with the smartphone – either because it’s outside proximity or because the user has disabled Bluetooth - the passcode protection becomes enabled. This is also the case when the smartwatch is rebooted.

Next, the Security Research Team emulated a determined attacker whose goal is to obtain access to the data on the device. Analysis uncovered while a passcode can be enabled on the device, that an attacker could easily access the data through the micro-USB connection interface when USB debugging is enabled. While this allows for the syncing of data from a PC or Mac, there is also a command shell. We determined that no passcode or account password was required to access the command line in this manner. For those familiar with the Android Debug Bridge (ADB), the Samsung operating system is very similar but requires the Tizen SDK.

What’s key here is that the smartwatch to a PC or Mac is very different than a smartphone. Syncing data between a smartwatch and a can be very different than syncing a mobile device and computer. Most iOS and Android and tablets require that you first enter the PIN to unlock

3 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data the device before it can sync to a computer. The Samsung Gear 2 Neo does not require the user to unlock the smartwatch to access its data from a computer. Even with the passcode enabled, the command line can be accessed unauthenticated (this was recently patched by Samsung). It is quite common for users to enable USB debugging across smartphones and tablets and now smartwatches. USB debugging allows users to customize their devices by loading media such as and pictures, as well as to side-load apps.

If USB debugging is enabled, a determined attacker could navigate around the directory structure and view files on the device, including log files that enumerated further information. The Security Research Team was using the developer account, but there are known techniques for the Samsung Gear 2 Neo that allow for privilege escalation to root. This vulnerability was shared with Samsung back in March 2015 through responsible disclosure, and Samsung was very responsive in issuing a software update to disable this feature.

Motorola Mobility Moto 360 The Motorola Moto 360 is one of the leading smartwatches using the Android Wear platform and operating system. Like many of the other smartwatches, it leverages the Android Wear pairing app as well as the Motorola Connect app. Aside from the built-in health features and alarm, the Moto 360 allows notifications from apps, including email. It’s important to note that until Android app developers embrace Android Wear and add support in their apps, the Moto 360 will be able to access apps including email apps. Therefore the Moto 360 receives notifications, but viewing the details is relegated to the mobile device. Whether smartwatches receive notifications from business applications or actual content such as email, enterprises must consider the risks of such data on the Moto 360.

Current versions of the Moto 360 purchased online or in stores do not seem to include the latest software update (Android Wear 5.1.1). This is important because the device has no password protection (ours was version 5.0.2). Whether paired or unpaired the device provides no lost or stolen protection. The latest software update Android Wear 5.1.1 adds optional password protection. Additionally, encryption is typically employed at the app level and is dependent on the developer’s desire to add it.

The Security Research Team expects greater security enhancements to be available as the device and Android Wear platform mature and are accepted more in enterprise applications.

4 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data Shenzhen Qini U8 For price-sensitive shoppers, generic smartwatches are available for purchase online. The Security Research Team acquired a Chinese-manufactured Shenzhen Qini U8 smartwatch, which runs Nucleus, a common embedded operating system. A pairing app is required to sync the smartwach with an Android smartphone. The “Smartwatch Helper” pairing app is available from an unknown IP address in China, notably outside of the Google Play store. The U8 Plus model now has a pairing app for Apple iOS.

Once the Shenzhen Qini U8 was paired with the Android test smartphone over Bluetooth, data began to sync to the Messaging app. Notifications were received and permitted apps were allowed, including email. Contacts also synced to the device automatically. The only obvious security mechanism built into the device is the “anti-lost” feature that simply alarms when the device is lost, stolen, or simply out of range with the paired smartphone. There is no passcode option to protect the data on the device.

The aforementioned “Smartwatch Helper” pairing app was also analyzed. Some suspicious behaviors were identified, such as the ability to retrieve information about the mobile service carrier, read the root filesystem, download cache, and collect the phone number, IMEI, and more.

This device was considered high-risk for data loss as the data on the device is unprotected. Furthermore, the pairing app is downloaded from an unknown IP address and the app itself enumerated some suspicious behaviors. This stresses the importance of only downloaded apps for the curated Google Play store and avoiding side-loading and untrusted sources. Side-loading and untrusted sources can also be enforced with EMM security policies.

5 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data Apple Watch Apple takes security a step further than some of the other smartwatches analyzed. When setting up the Apple Watch for the first time, it performed a pairing (and key exchange) between the iPhone and the Watch. In addition, a PIN or Passcode (short or long) can be set on the Watch, which can be enabled at setup. This passcode is combined with the sensors built into the watch that determine whether it is physically on the user’s wrist. When removed from the wrist, the passcode protection kicks in to protect the data on the Watch.

There are a few videos on the web that demonstrate removing the Watch while having a second user slip their fingers under the Watch to fool it into believing it’s still on the wrist. In this scenario, a second user could make a fraudulent purchase with Apple Pay from the Watch. While it’s an interesting and simple hack, the risk of this happening without the first user’s knowledge is low. The first user would need to be in close proximity to the second user and would most likely be aware of the wrist swap.

Notifications can be received on the Watch from any Apple AppStore app. But it is important to note that, aside from the stock apps (email for example), only apps that have added the WatchKit extension will have their app and data viewable on the Watch. While there are millions of apps in the AppStore, there are roughly 6,000 apps that have added the WatchKit extension as of the publishing of this report. The WatchKit extension provides a variety of security options, notably encryption of the data at rest on the app. Some enterprise apps have added the WatchKit extension with security and encryption controls. One example is TigerText, which allows for secure texting from the Apple Watch.

Data can be stored or cached on the Watch even when it is offline. This data includes cached images, notification data, and built-in apps. This is different from the data at rest on apps that may employ the WatchKit extension, and thus the offline cache relies on the parent app on the iPhone to store data. If the Watch loses connectivity with the iPhone the user cannot interact with the parent app or its data. This is expected to change with WatchOS 2 this fall, where the Apple Watch will have the ability to directly connect to Wi-Fi.

6 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data When an iPhone is managed by a (MDM) or enterprise mobility management (EMM) platform, additional security controls are available. For example, when an iPhone is quarantined or retired, iOS managed apps (those apps distributed via the MDM/EMM platform) can be remotely wiped from the iPhone. This removes the managed app and its data not only from the iPhone but also from the paired Watch.

Apple Watch security is covered in depth in the iOS 8.3 Security Guide available from Apple here: https://www.apple.com/business/docs/iOS_Security_Guide.pdf. It will be important to determine what additional controls can be leveraged when iOS 9 and watchOS 2 are released in the fall.

The following are some best practices for enterprises looking to embrace the Apple Watch in a secure manner:

• Deploy enterprise apps to the iPhone using Managed App options within the MDM or EMM platform. This will allow removal of the app and data from the Apple Watch when the iPhone is quarantined or retired. • Confirm whether the enterprise app vendors have added the WatchKit extension, and what security controls are being used to protect the data on the Watch. The AppStore descriptions will sometimes indicate if the WatchKit extension is not part of the app. • Encourage users to enable a PIN or Passcode for the Apple Watch when pairing (or post-pairing). • Leverage jailbreak and malware detection tools to quarantine an iPhone and remove enterprise-managed apps from the iPhone and Watch. • Publish best practices and procedures for using the Apple Watch to protect not only enterprise data, but also a user’s personal data. This should include Apple Pay and, most notably, using a passcode on the Watch.

7 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data Smartwatch Best Practices for the Enterprise Smartwatches present various risks to enterprise data. Some smartwatches are less secure than others. Security for these devices needs to continue to mature, much like it did for smartphones and tablets. Fortunately, some MDM and EMM vendors provide containerization to separate enterprise data from personal data. MDM and EMM containers or personal information management (PIM) solutions for Android and iOS can provide protection against accessing corporate email and data from a smartwatch. This provides a balance between allowing smartwatches to be paired with managed devices and limiting what enterprise data can reside on the smartwatch.

The following best practices should be prioritized by enterprises looking to keep corporate data secure on smartwatches:

• Encourage users to enable a PIN or Passcode on the smartwatch. This will protect both corporate and personal data. • Consider using an MDM or EMM containerization solution to separate corporate and personal data, and to control which data can be viewed on the smartwatch. • Leverage an App Reputation or Mobile Threat Prevention solution integrated with your MDM or EMM to identify risky behaviors occurring with the pairing app on the mobile device. • For Android, considering using the MDM or EMM to allow Bluetooth audio only, and to disable data transfers via Bluetooth. The latter would block pairing of a smartwatch to an Android device. • Additionally for Android, leverage enforcement policies to deter side-loading of Apps and downloading through untrusted sources outside of the curated Google Play. • For iOS, leverage the EMM Managed Apps features to remove Apps (with the WatchKit) and their Data from the Apple Watch when quarantined or retired.

8 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data Summary In summary, our security research brought to light that security postures across smartwatches vary broadly. Some include encryption, passcode, and sensor security controls, while others provide very little security at all. Additionally, most of the smartwatches are not on-par with security inherent in the latest mobile devices, and there is a lack of enterprise mobility APIs available to perform policy enforcement on the devices. However, a few smartwatches, such as the Apple Watch, do have some indirect security policy controls. For example, when an iPhone is quarantined or retired and the managed (enterprise) apps are removed, they disappear from the Apple Watch as well.

Motorola Mobility Shenzhen Samsung Analysis Moto 360 Qini U8 Gear 2 Neo Apple Watch

Platform/OS Android Wear Nucleaus Tizen Watch OS

PIN/Passcode Added in Android None found Optional, no user Optional User Option Wear 5.1.1 prompt Prompted

Encryption Optional at App None found Optional at App Yes, Watch Data Level level Protection and optional App Level

Lost/Stolen Locks when pairing Alerts (buzz) Locks when pairing Locks when Protection lost (if enabled) lost (if enabled) removed from wrist

We anticipate the continued growth and advancement of smartwatches, especially in terms of security. As enterprises embrace these devices for enterprise applications such as healthcare, field maintenance, and more, we expect smartwatch vendors to place an even stronger emphasis on security. We hope this will lead to the introduction of more smartwatch security options, as well as security management APIs to allow enterprises to refine their security postures.

9 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data