Opinion: Beware that fake smartwatch. It's a malware magnet
If you've ever walked down Canal Street in Manhattan, you're all too familiar with the array of Louis Vuitton lookalikes and Rolex fakes to inferior versions of iPads and smartphones.听While most consumers are fully aware that Canal Street wares are knockoffs,听few will probably admit to knowingly buying illegal goods made听in the most inhumane of conditions.听
Most, if not all, knockoffs found in Chinatown, in back-alley markets and now online, originate in East Asia, particularly in China. In 2014, the听Organization for Economic Cooperation and Development听(OECD) estimated that Chinese counterfeit products 听Yet the world has been mostly silent when it comes to mitigating this black market of goods.听
Historically, consumers of knockoffs understand that the items are illegitimate, but it鈥檚 widely considered a harmless transaction. However, the business of buying and selling fakes is becoming riskier in the Digital Age.
The selection of听counterfeit听goods found on Canal Street or online now include a vast array of wearables as devices such as the Fitbit or the Apple Watch grow in popularity. A recent search , the Chinese e-commerce website that broke records with its more than $162 billion valuation, has more than 32,000 results, with the majority of them being fakes with prices starting as low as $5. What鈥檚 most concerning is not the amount of items for sale, but rather the extremely low price point at which these watches are being sold. That suggests sellers are profiting in other ways.听
Late last year, reported on an electronic cigarette charger being preloaded with malware 鈥 infecting users' computers once plugged into the USB port. While some in the security industry dismissed the article as听sensationalism, it is an entirely possible scenario. What is confirmed is that the听e-cigarette in question was a knockoff manufactured in China.听
In another example from just this past March, the confirmed that fake Xiami smartphones were proven to have preinstalled malware. Really, any Internet-connected device can be targeted this way.听
But counterfeit wearables also present a major problem for businesses, and even have the potential to impact national security.
According to a recent , Internet-connected "devices are actively penetrating some of the world鈥檚 most regulated industries including healthcare, energy infrastructure, government, financial services, and retail." 听As businesses consider implementing policies for how to treat wearables, and as听governments impose听rules to safeguard all of its assets, they must consider the rather general availability of counterfeit devices and how to protect themselves from those gadgets.听
Currently, personal and corporate information, such as Social Security Numbers, credit card information, and e-mail credentials are sold on the Dark Web for as little as 80 cents. This unprecedented affordability has increased the demand for more detailed records exponentially, as hackers race to obtain the information needed to exploit profits.
Earlier this month, the US Office of Personnel Management听revealed that it was the victim of听a , widely thought to be initiated by China, that exposed the records of as many as 14 million current and former government employees.听While we don鈥檛 yet know the source of the intrusion, it is feasible that this event, or one in the future, can be originated by a government employee鈥檚 malware infected wearable.听
Putting the fear factor aside, the current arms race for information has increased the risk of identity theft, fraud, terrorist acts, and unauthorized expenditures to billions of people around the globe. The reason for this is simple: the risk/reward ratio for manufacturers of counterfeit wearables to preload each device with malware, capture valuable information, and then sell that information on the Dark Web or to rogue nations is high on reward and light on risk. It鈥檚 relatively easy to do, hard to trace, and the consumer or organization is almost always na茂ve until after damage is done. From a purely financial standpoint, a manufacturer that historically makes $10 net profit per device can multiply his or her earnings by anywhere from 8听percent to 100 percent, or greater, per device, depending on how valuable the Dark Web deems the information.
In perhaps the most ironic news in years, the Chinese People's Liberation Army recently announced that it has banned its soldiers from "听In other words, the very same country that produces and sells some of the world鈥檚 most vulnerable devices is OK in doing so, as long as those same devices pose no threat to their own national security interests.
The vast economic incentives strongly suggest that we鈥檙e not going to see an end to at-risk knockoffs anytime soon. As such, perhaps it鈥檚 time for law enforcement to take a deeper look into the pervasive counterfeit culture before any widespread impact to personal, corporate, or national security is done.
Chris Rouland is a veteran cybersecurity expert and entrepreneur. He is currently the founder and chief executive of Bastille, the first company to detect and mitigate threats to the Internet of Things. Follow him on Twitter .
听
