Trendy consumer gadgets are reaching the market at an expedited rate in today’s world, and the next new viral product is right around the corner. While these innovations aim to make consumers’ lives easier and more efficient, the rapid development of these products often creates security risks for users — especially as hackers and malicious actors get more creative.
When commercial drones were brought to market as recreational tools in 2013, for example, consumers jumped at the chance to use them for a wide range of personal purposes, from photography to flying practice. Many security risks emerged, however, and it became clear that drones can be used maliciously to do anything from tracking and monitoring to causing physical harm and societal disruption.
GPS-enabled devices are now experiencing the same growing pains.
The current threat environment
GPS-enabled devices have been on the market for a while, but consumer use has boomed in recent years. The newest device making waves is Apple’s AirTag — a small device that tracks personal items such as keys, wallets and backpacks.
With an affordable price tag, consumers have jumped at the opportunity to keep track of their belongings more easily. As adoption has grown, however, so have security and privacy concerns. Malicious actors can easily slip these devices into peoples’ belongings and track them.
While the risk to consumers is clear, businesses and influential figures can also be targeted. GPS-enabled devices can be used to track day-to-day business movements and identify exploitable weak points.
Apple has remediated some of these risks by releasing a personal safety guide outlining the steps users should take if they find an unknown AirTag or suspect someone has gained access to their product. Yet these risks highlight a broader problem with GPS-enabled devices. Threat modeling in the design phase of tech development must evolve to uncover emerging security risks — before consumers get their hands on the devices.
How threat modeling helps
Threat modeling is an effective way to identify potential threats and vulnerabilities and thus reduce security risks to resources and products.
As threat environments evolve, however, so too must threat modeling processes. Solely following compliance and regulation requirements is no longer sufficient. Tech providers must now think creatively to seek out potential vulnerabilities.
Companies must also realize that threat modeling and design reviews can’t be accomplished in a vacuum. They must be thought of as fluid processes that get updated and tailored to specific products. This proactive approach helps protect end users and eliminates the need for businesses to scramble to provide fixes after a product reaches the market or, in a worst-case scenario, is recalled.
Society has adopted GPS-enabled devices, and their popularity is only expected to grow — despite their security risks. The onus is on the tech industry to adopt a security-first mindset when developing products and take the time to test for potential vulnerabilities. This extra care will give consumers peace of mind and will enable the tech industry to continue innovating — safely.
About the author
Nabil Hannan is managing director at NetSPI. He leads the company’s consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Hannan has more than 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, including risk analysis, pen testing, secure code review and vulnerability remediation, among others.