Opinion: Beware that fake smartwatch. It's a malware magnet
With the rise of Internet-connected wearables such as the Fitbit and Apple Watch, fakes are proliferating, too. They are cheap but can also carry malicious software designed to steal personal information and infect other machines.
If you've ever walked down Canal Street in Manhattan, you're all too familiar with the array of Louis Vuitton lookalikes and Rolex fakes to inferior versions of iPads and smartphones. While most consumers are fully aware that Canal Street wares are knockoffs, few will probably admit to knowingly buying illegal goods made in the most inhumane of conditions.
Most, if not all, knockoffs found in Chinatown, in back-alley markets and now online, originate in East Asia, particularly in China. In 2014, the Organization for Economic Cooperation and Development (OECD) estimated that Chinese counterfeit products cost the global economy around $250 billion. Yet the world has been mostly silent when it comes to mitigating this black market of goods.
Historically, consumers of knockoffs understand that the items are illegitimate, but it’s widely considered a harmless transaction. However, the business of buying and selling fakes is becoming riskier in the Digital Age.
The selection of counterfeit goods found on Canal Street or online now include a vast array of wearables as devices such as the Fitbit or the Apple Watch grow in popularity. A recent search for the Apple Watch on Alibaba.com, the Chinese e-commerce website that broke records with its more than $162 billion valuation, has more than 32,000 results, with the majority of them being fakes with prices starting as low as $5. What’s most concerning is not the amount of items for sale, but rather the extremely low price point at which these watches are being sold. That suggests sellers are profiting in other ways.
Late last year, The Guardian reported on an electronic cigarette charger being preloaded with malware – infecting users' computers once plugged into the USB port. While some in the security industry dismissed the article as sensationalism, it is an entirely possible scenario. What is confirmed is that the e-cigarette in question was a knockoff manufactured in China.
In another example from just this past March, the International Business Times confirmed that fake Xiami smartphones were proven to have preinstalled malware. Really, any Internet-connected device can be targeted this way.
But counterfeit wearables also present a major problem for businesses, and even have the potential to impact national security.
According to a recent OpenDNS report, Internet-connected "devices are actively penetrating some of the world’s most regulated industries including healthcare, energy infrastructure, government, financial services, and retail." As businesses consider implementing policies for how to treat wearables, and as governments impose rules to safeguard all of its assets, they must consider the rather general availability of counterfeit devices and how to protect themselves from those gadgets.
Currently, personal and corporate information, such as Social Security Numbers, credit card information, and e-mail credentials are sold on the Dark Web for as little as 80 cents. This unprecedented affordability has increased the demand for more detailed records exponentially, as hackers race to obtain the information needed to exploit profits.
Earlier this month, the US Office of Personnel Management revealed that it was the victim of a massive targeted attack, widely thought to be initiated by China, that exposed the records of as many as 14 million current and former government employees. While we don’t yet know the source of the intrusion, it is feasible that this event, or one in the future, can be originated by a government employee’s malware infected wearable.
Putting the fear factor aside, the current arms race for information has increased the risk of identity theft, fraud, terrorist acts, and unauthorized expenditures to billions of people around the globe. The reason for this is simple: the risk/reward ratio for manufacturers of counterfeit wearables to preload each device with malware, capture valuable information, and then sell that information on the Dark Web or to rogue nations is high on reward and light on risk. It’s relatively easy to do, hard to trace, and the consumer or organization is almost always naïve until after damage is done. From a purely financial standpoint, a manufacturer that historically makes $10 net profit per device can multiply his or her earnings by anywhere from 8 percent to 100 percent, or greater, per device, depending on how valuable the Dark Web deems the information.
In perhaps the most ironic news in years, the Chinese People's Liberation Army recently announced that it has banned its soldiers from wearing smartwatches "out of security fears." In other words, the very same country that produces and sells some of the world’s most vulnerable devices is OK in doing so, as long as those same devices pose no threat to their own national security interests.
The vast economic incentives strongly suggest that we’re not going to see an end to at-risk knockoffs anytime soon. As such, perhaps it’s time for law enforcement to take a deeper look into the pervasive counterfeit culture before any widespread impact to personal, corporate, or national security is done.
Chris Rouland is a veteran cybersecurity expert and entrepreneur. He is currently the founder and chief executive of Bastille, the first company to detect and mitigate threats to the Internet of Things. Follow him on Twitter @chris_rouland.