Buyer beware. Could anti-covid technology be introducing major security risks?
Stephen Boyle, Senior Cyber Security Consultant for Thales writes…
As we all return to a more ‘normal’ way of working post-Covid, employees are being encouraged to return to the workplace and employers face pressure to keep them safe. Technology might hold some of the answers. But can it be trusted?
We recently tested one piece of wearable technology which is marketed as a simple way to help people maintain a safe distance from each other. On paper, it sounds super-safe. It doesn’t capture sensitive information and doesn’t track the wearer’s location. All it does is react – with sound and vibration alerts - when it comes within range of another device.
Nevertheless, we took it to bits.
What we found – especially as we now live in an age of state-sponsored hacking, data theft and ransomware - was worrying. Our tests revealed no less than five security issues, three of them rated as high risk. Here’s what we discovered:
- The device has several vulnerabilities that could expose it to supply chain attacks which would prevent the device from performing as intended, including unauthenticated access and insufficient firmware authenticity checks, with the potential for pushing rogue firmware files to it.
- The software also had several vulnerabilities related to an authentication mechanism which could be bypassed. Other weaknesses exacerbated the problem.
Having said that, most of these vulnerabilities can’t be exploited unless the attacker has physical access to the device in question, or has been able to compromise to the workstation on which its software is running.
I should also say that these issues can be fixed with a firmware update. But that’s not the point. We buy these things to keep our businesses safe. And we expect them to have robust security built in.
The device we tested is just one product selected from dozens that are on the market. Identifying it would be unfair because we have no way of knowing whether it is better or worse than the others. And just because a device can be hacked it doesn’t necessarily follow that it has or it ever will be.
We’re all under tremendous pressure to perform. And we want people to get back to a normal work environment. Many companies will turn to technology for a solution. But does anti-covid tech introduce unforeseen and unquantifiable risks? I’m afraid this one does. The others?
No one knows.