Wearable devices are gaining traction, with estimates that more than 175 million will be in use by 2018. Today, one in five Americans own such a device, and one in 10 wears one daily (PwC). Most HR and IT departments have little concern for employees’ use of these devices. We don’t think of them as having a hard drive with sensitive data, or WiFi or cellular activity. In fact, no continuous connection to the Internet. You may want to think twice.
Case in point: Fitbit – a wearable device for fitness has now proven to be vulnerable to hackers. By just passing within 30 feet of a victim, attackers can pass malware via Bluetooth within 10 seconds, and infect the device on your wrist. Your Fitbit automatically synchs over Bluetooth with your mobile device (phone, tablet, what have you) which uploads your data along with the malware to the Fitbit server. This in turn executes in the your browser next time you visit the Fitbit site to track health statistics.
The code that was uploaded up to the legitimate Fitbit site from your mobile device, is then capable of infecting your laptop at your next login. Your attack surface has potentially now expanded from your Fitbit to your corporate laptop as a result of visiting a trusted site.
Such attacks can spread to any number of wearable device types. And, neither HR nor corporate IT can prevent employees from using these devices. Not yet anyway.