Blog: Macs / Apple

Apple watch. A must-have or another personal security nightmare?

James Mace 11 Mar 2015

AppleWatch

So the next Apple revolution is soon to be in a shop near you, the Apple Watch. Coming in many different flavours and boasting a whole world of features to make this innovative tech improve your daily life. From paying for your pesto chicken wrap to monitoring your heartbeat when you catch a glimpse of the bill, the capabilities of the Apple Watch are still unfolding.

But, before you rush off to stand in the quarter mile queues outside the Apple shop, it’s worth taking note of the potential information this device can store about you.

Creepy data

We often say in security, information gathering and enumeration are the most important phases of an attack, and in the case of the Apple Watch, a wealth of information can be gathered. This includes daily activity, movement, sleep cycles, diet and heart rate. There is also the potential for further devices and tracking sensors being purchased as ‘add-on’s’, with a glucose monitor being rumoured as one such medical device.

This sensitive information combined can be used to create a fairly accurate electronic diary of many aspects to your life. There is risk that these sensors can be abused by rogue applications; imagine a rogue application being able to access this highly sensitive information repository and returning that data to an assailant.

The watch itself does not have cellular connectivity and cannot be run independently from a separate Apple iPhone to transmit data to an external entity. Though it should be noted that this does not stop the watch from information gathering in the meantime and transferring this back to the ‘mothership’ once back in range. This may sound better for trying to avoid being tracked 24/7, but the critical link – the authentication model between handset and watch, has not yet been released. With the watch being Wi-Fi and Bluetooth enabled, you don’t want to open up this sensitive data to eavesdropping and the local network if the device decides to sync when you’re drinking your latte in Costa. An ‘evil twin’ attack may also be applicable here.

Everything is fine…

In an effort to minimise data falling into the wrong hands and to control the level of access applications have, Apple provides a set of guidelines which developers ‘must’ conform to:

https://developer.apple.com/app-store/review/guidelines/

The problem with guidelines, is they are just that – guidelines and do not provide a 100% guarantee that apps conform and everyone plays happy families. The problem in this case is that no one is validating the applications which can potentially turn rogue and it is down to the end user to manage their security. With such a powerful device being placed in the hands of users, security awareness really should be driven home proactively rather than reactively after it’s too late.

What should you do before you buy?

Know that once your data has been logged or stored, it is very difficult to remove. So be conscious before you even begin tracking.

Be aware of the risks and the types of information you are storing, keep on top of privacy settings and be incredibly suspicious of any third party apps which try to access the various API’s without your consent.

Use mainstream applications where possible which have a high likelihood of having been scrutinised by security experts – leading to a more ‘gentle’ application with thorough usage policy.

Even consider consulting with your doctor first, to determine whether the types of information you can track are actually helpful to improving your health and not just the health of an advertiser’s bank account. Don’t fall for the overhyped marketing gimmicks.

It is likely that most of this data will be linked back to the unique Apple ID linked to your devices, in which case we would re-iterate the paramount importance of using 2FA:

https://support.apple.com/en-gb/HT204152

It’s not just Apple

It should be noted that Apple products are not the only ones susceptible to data leakage through wearable tech, recently a number of Android centred watches have hit the market, all with similar features. Unwarranted permissions have been a re-occurring issue, with even the most popular apps accessing sensitive information which would be deemed ‘not relevant’ to the applications working.

After wading through the swaths of information found online, we would advise trying to keep a tight knit control of which applications you download and what information they are allowed to access – if unsure, seek further advice.