MobileIron Analysis of Smartwatch Security Risks to Enterprise Data v 1.2 MKT-9170 | © 2015 MobileIron, Inc. 1 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data Executive Summary Consumers are purchasing smartwatches to pair with downloaded and cached content, phone hardware their mobile devices to track health information, but information, and more. This particular pairing app also to access corporate email, calendar, contacts, and was downloaded outside of the Google Play store corporate apps. This can present a risk to enterprise and any potential risks present remind us of the data leading to possible data loss, but to what extent? importance of enforcing the curated apps within Google Play. For most organizations, smartwatch security became a priority with the release of the Apple Watch in April One of the most important aspects discovered during 2015. MobileIron had been analyzing smartwatch the research is the difference in passcode protections security risks prior to the Apple Watch release as of smartwatches when compared to mobile devices. demonstrated by the vulnerability identified and Most people are familiar with setting a mobile device reported to Samsung for the Samsung Gear 2 Neo back PIN or passcode as a fundamental security best in March 2015. Samsung was very responsive in issuing practice to avoid data loss in a lost or stolen scenario. a software update to disable this feature. Once the passcode is set, a time-based policy on the device locks the device, say after 15 minutes of MobileIron’s Security Research Team analyzed the non-use. Smartwatches use the passcode in a much myriad of various smartwatches to identify the risks to different way. They commonly use a proximity- enterprise data by pairing them with a mobile device based approach to protecting the smartwatch. The that is connected to enterprise resources, such as email passcode protection is enabled when the smartwatch or calendars. The team researched smartwatches that loses connectivity to the mobile device (typically can be paired with Android and iOS devices. Some Bluetooth), for example, if it was stolen. Furthermore, smatchwatches can pair with both the Android and the Apple Watch uses sensors to determine if it’s on iOS platforms. A pairing app is required for all of the the user’s wrist and enables the passcode protection smartwatches tested. when the sensor detects that it has been removed. In all of the smartwatches tested, the passcode was The team analyzed the Apple Watch, Motorola an option. The Apple Watch was the only one that Mobility Moto 360, Samsung Gear 2 Neo, and prompted for a passcode during setup. Shenzhen Qini U8 to ensure that a nice cross-section of smartwatches was analyzed. Each of these devices What follows is a detailed analysis of four represents a different wearable operating system. smartwatches, followed by a summary and best Additionally, the MobileIron Security Research practices guidance at the end of the whitepaper. Team analyzed the pairing apps installed on the mobile devices. While most pairing apps were benign, the whitepaper outlines a less common Chinese-manufactured smartwatch that presented some suspicious behaviors. This could pose a risk to personally identifiable information such as access to 2 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data Samsung Gear 2 Neo One smartwatch that was analyzed was the Samsung Gear 2 Neo. This smartwatch can sync with an Android-based smartphone with the Samsung Gear pairing app. From there the user can pick and choose what apps to receive notifications from, as well as sync email, calendar, contacts, make calls, and sync and respond to SMS messages. Furthermore, attachments such as photos can be downloaded and saved on the smartwatch. When pairing the Gear 2 Neo with a corporate managed smartphone, the user can sync corporate email to the smartwatch. In this scenario, enterprise data is present on the smartwatch, so the data is potentially vulnerable to any risks to the watch itself. This was the genesis behind our research. The Samsung Gear 2 Neo provides an option for passcode protection, which is disabled by default and does not prompt the user to set it. This means that if the smartwatch was lost or stolen, an attacker would have full access to the data on the device. But if the user is security-minded they can find the PIN option under Settings on the smartwatch and can set a passcode, which only accepts numbers. It’s important to note that, as with many other smartwatches, the passcode protection is not time-based like a smartphone, but proximity-based. This means that as long as the smartwatch is paired with the smartphone, the passcode protection is disabled. Only when the smartwatch becomes unpaired with the smartphone – either because it’s outside proximity or because the user has disabled Bluetooth - the passcode protection becomes enabled. This is also the case when the smartwatch is rebooted. Next, the Security Research Team emulated a determined attacker whose goal is to obtain access to the data on the device. Analysis uncovered while a passcode can be enabled on the device, that an attacker could easily access the data through the micro-USB connection interface when USB debugging is enabled. While this allows for the syncing of data from a PC or Mac, there is also a command line shell. We determined that no passcode or account password was required to access the command line in this manner. For those familiar with the Android Debug Bridge (ADB), the Samsung Tizen operating system is very similar but requires the Tizen SDK. What’s key here is that tethering the smartwatch to a PC or Mac is very different than a smartphone. Syncing data between a smartwatch and a computer can be very different than syncing a mobile device and computer. Most iOS and Android smartphones and tablets require that you first enter the PIN to unlock 3 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data the device before it can sync to a computer. The Samsung Gear 2 Neo does not require the user to unlock the smartwatch to access its data from a computer. Even with the passcode enabled, the command line can be accessed unauthenticated (this was recently patched by Samsung). It is quite common for users to enable USB debugging across smartphones and tablets and now smartwatches. USB debugging allows users to customize their devices by loading media such as music and pictures, as well as to side-load apps. If USB debugging is enabled, a determined attacker could navigate around the directory structure and view files on the device, including log files that enumerated further information. The Security Research Team was using the developer account, but there are known rooting techniques for the Samsung Gear 2 Neo that allow for privilege escalation to root. This vulnerability was shared with Samsung back in March 2015 through responsible disclosure, and Samsung was very responsive in issuing a software update to disable this feature. Motorola Mobility Moto 360 The Motorola Moto 360 is one of the leading smartwatches using the Android Wear platform and operating system. Like many of the other smartwatches, it leverages the Android Wear pairing app as well as the Motorola Connect app. Aside from the built-in health features and alarm, the Moto 360 allows notifications from apps, including email. It’s important to note that until Android app developers embrace Android Wear and add support in their apps, the Moto 360 will be able to access apps including email apps. Therefore the Moto 360 receives notifications, but viewing the details is relegated to the mobile device. Whether smartwatches receive notifications from business applications or actual content such as email, enterprises must consider the risks of such data on the Moto 360. Current versions of the Moto 360 purchased online or in stores do not seem to include the latest software update (Android Wear 5.1.1). This is important because the device has no password protection (ours was version 5.0.2). Whether paired or unpaired the device provides no lost or stolen protection. The latest software update Android Wear 5.1.1 adds optional password protection. Additionally, encryption is typically employed at the app level and is dependent on the developer’s desire to add it. The Security Research Team expects greater security enhancements to be available as the device and Android Wear platform mature and are accepted more in enterprise applications. 4 MobileIron Analysis of Smartwatch Security Risks to Enterprise Data Shenzhen Qini U8 For price-sensitive shoppers, generic smartwatches are available for purchase online. The Security Research Team acquired a Chinese-manufactured Shenzhen Qini U8 smartwatch, which runs Nucleus, a common embedded operating system. A pairing app is required to sync the smartwach with an Android smartphone. The “Smartwatch Helper” pairing app is available from an unknown IP address in China, notably outside of the Google Play store. The U8 Plus model now has a pairing app for Apple iOS. Once the Shenzhen Qini U8 was paired with the Android test smartphone over Bluetooth, data began to sync to the Messaging app. Notifications were received and permitted apps were allowed, including email. Contacts also synced to the device automatically. The only obvious security mechanism built into the device is the “anti-lost” feature that simply alarms when the device is lost, stolen, or simply out of range with the paired smartphone. There is no passcode option to protect the data on the device. The aforementioned “Smartwatch Helper” pairing app was also analyzed. Some suspicious behaviors were identified, such as the ability to retrieve information about the mobile service carrier, read the root filesystem, download cache, and collect the phone number, IMEI, and more.