Electronic Pickpocket: Security Risks of Wearable Devices

If you knew something was tracking your every move—where you’ve been, where you’re planning to go, and who you’ve been talking to—you’d be on high alert, call the authorities, and try to remove yourself from the situation. Our technology does these very activities and yet millions of people dedicate their day to feeding it more information.

According to statistics websites such as Statista and Smart Insights, 103 million wearable devices were sold in 2016, and there were 325 million connected worldwide. This trend is only expected to rise as wearable devices successfully help consumers manage and increase comfort in their daily lives.

One problem right now is that people often don’t understand the risks associated with these wearables. Desktop and laptop computers can be hacked and exploited for information—and so can wearables. Wearable technology as we know it today has not been around long. Learning how it’s used not only to track our information but help in instances of litigation through computer forensic and eDiscovery situations is an ongoing process.

However, wearables are extremely vulnerable to exploitation. We’ll discuss the risks of wearable devices, why they are vulnerable and which sources we should look towards to resolve these issues.

Information Risks of Wearable Devices
Wearable devices are part of an overall category of electronics termed “The Internet of Things.” This category includes items that are always connected online through Bluetooth, Wi-Fi and cellular data, etc. Like all devices that are constantly connected to the internet, they can be discovered and exploited. So, we have to think about what kind of information can be discovered and used. We have an in-depth article about that here. Data stored on these devices can contain some of your most sensitive information—information that could harm you if it was in the wrong hand hands. For instance, if a company is breeched, it could flag compliance issues with PII (Personal Identifiable Information) and HIPAA (Health Insurance Protection Accountability Act).

Many employers use information from wearable devices such as fitness trackers to provide deductibles and benefits to their employees. Each connection to the wearable is a link that must be vetted for security. And one of the major problems is that this data is stored outside of your own internal network of devices. The issue becomes especially serious with smaller companies. Security of these devices is not a new issue but it is an expensive one. Even for the most successful companies, it takes a conscious effort to maintain a secure environment for the data.

One of the most recent cases of information potentially being exploited was uncovered by CNN on Jan. 29, 2018. Fitness trackers worn by military personal were tracking their movements and uploading the data to a heat map for viewing. It was an extremely dangerous situation not only for the individual soldiers on their routes, but for the entire military base which could be stationed in a classified area.

Reasons for Wearables Vulnerabilities
So why exactly are these wearables so vulnerable?

1. There’s no encryption on the stored data.
   It’s hard to believe but even now, there’s still unencryted information stored in our most personal devices. Whether it’s on the device or in transit to the cloud, the streams of data are capable of being read in clear text without protections in place. In a recent study for the Huffington Post by students at the University of Edinburgh, vulnerabilities on two different models of fitness trackers were found when information was attempting to sync to the cloud as well as on the device themselves. These vulnerabilities were made possible due to the lack of encryption on the information.
2. There’s no way to monitor usage.
   Unlike a traditional instance of a computer hacking where logs and user activity would be used to determine a breach, wearable devices have no way of determining if they have been compromised. There is no way to do this until it has either invaded another system or your information is found to have been used. The device could be compromised for weeks without your knowledge unless blatant activity such as credit card use or malfunctions of the software make themselves known.
3. They’re closely tied to other devices.
   Think for a moment about which other devices you tie to your wearable to feed to view its information. A phone, a computer, maybe your email account? Each of these become vulnerable targets that can be compromised by an infected wearable device. Whether through direct synchronization or continuously trying to break in, you would be unaware of it happening because again there’s no way to know if the breach is coming from your own device. Our wearables are purposely designed to communicate and share information with other devices to provide us a seamless experience, unfortunately the same can be said for poor experiences of malware.
4. Unsecured Bluetooth/Wi-Fi connections are open to vulnerabilities.
   Most of these wearable devices have the ability to connect to a network or other device using Bluetooth or wireless communication. It’s how they’re supposed to operate, by speaking across devices to give you the information you want. However, the securities typically employed by device authentication during communications across channels do not apply to these wearables. Typically there are firewalls, anti-virus programs and other security measures, such as passwords to connect to a wireless network, that are in place to verify communications are secure. When pairing wearables with Bluetooth connections, the options for security measures are little to none. They rely on the security of the wireless and Bluetooth connection. However, there are no authentication measures in place for your Bluetooth device being paired—not even a PIN code or password to pair it with another device.
5. They have simplistic or nonexistent internal security.
   The main security features these devices have are the updates pushed to patch them. But how often do we honestly update these devices? Even then, the updates are usually for software user interface experiences, not security, because there is no built-in security. The software used to construct these devices in simplistic so they’re compatible with a multitude of devices and the source code for many of them is publicly available for exploitation. In the end, the security is left up to either the consumer or a third-party software developer (of the operating system).

Sources and Solutions for Wearable Security
Where can these attacks come from? Well, it can either be targeted directly at your device, or it could be an existing infection on another one of your synchronized devices. It could also be the parent company of the device or the company providing updates. If they have been compromised, they could easily send out a fake update that infects any user that installs it without knowing.

Additionally, we need to learn to manage where all of this data is located. As new devices cycle into our lives, we need to be aware of the trail of information. In an interview with TechRepublic, Conan Dooley, senior security engineer at Box, talks about the major pitfall of wearable devices. "There is an opaque bubble around all of this data and what we do with it. Until we give people more access to their data and, frankly, the option to delete it, this thing has grown more personal as a result,” he said. While deleting data is a complex situation itself, it is a growing issue that must be addressed as more companies enter the marketplace and other risk shutting down or foreclosure. What is the lifecycle of that information?

It is up to the consumer to hold these companies accountable, make conscious decisions when purchasing these wearables and to raise the questions of security as they become more mainstream.