The increase in popularity of smartwatches and other wearable devices looks set to continue for the foreseeable future. This is exemplified by the fact that the market is expected to be worth over $56.8 billion by 2025.
However, this increase in popularity is accompanied by security concerns and challenges in relation to mobile device security for both manufacturers and end users.
For those individuals who may not be familiar with the technology, smartwatches are portable wearable devices, often referred to as ‘wearables’ by aficionados. The devices can be used to track and monitor a vast array of metrics in relation to the user, including: the number of calories burnt; the number of steps walked; heart rate and the quality of sleep. They are usually worn by health-conscious individuals who use them to complement their sporting activities, get healthier and lose weight.
Wearable tech is not limited to watches and also includes items such as glasses, jewellery, wristbands and even clothing. These items can also be used for entertainment and healthcare. The main players in the market are global household names, including: Apple, Google, Fitbit, Samsung, LG and Huawei.
Essentially, wearables are relatively similar to cut-down smartphones. They include touchscreen displays and the ability to run various applications at the same time. Unlike smartphones though, wearable tech is not a standalone device and needs to be paired with other gadgets, such as smartphones.
Unfortunately, this often means that wearable tech is not as secure as other computing devices and therefore poses a risk to the user’s privacy and their personal data.
What Makes Wearables Vulnerable?
As it is a necessity to pair wearables with other devices, it has the potential to cause security vulnerabilities. These vulnerabilities are then identified and exploited by a hacker using, for example, a Man in the Middle (MITM) attack.
This kind of data leak could occur when data is being transferred between a smartwatch and the application on the user’s mobile device. This can then be utilised to the advantage of the hacker and personal data stolen or used for further security breaches.
Examples of Wearable Tech
Google Glass
It was revealed that Google Glass allowed hackers to exploit and take control of the device using QR codes. These codes are used to point the device to a website or to direct it to a particular WIFI network or Bluetooth device.
The mobile security firm, Lookout, were able to produce its own malicious QR codes, which forced Google Glass to connect to hostile WIFI access points. This then made it possible for the researchers to spy on the Google Glass activities, including websites visited and media uploaded to the cloud. In addition to this, researchers were also able to divert Glass to a page on the access point containing a well-known Android 4.0.4 web vulnerability that was able to hack Glass as it browsed the page.
Google Glass is no longer being sold to end users but both Facebook and Amazon have announced new smart glasses, meaning that well-documented concerns about security issues are still as relevant today as they were then.
Fitbit
Fitbits are wireless-activity tracking devices that measure the number of steps walked, sleep patterns, heart rate and more fitness and lifestyle-related data.
There have been instances where researches have been able to demonstrate how fitbits and other similar devices, such as medical devices that incorporate ‘accelemeters’ can be infiltrated and manipulated through acoustic interference.
It would be possible, in theory, for attackers to infiltrate these devices that unequivocally trust the unvalidated integrity of sensor outputs.
But why is it a big deal if a Fitbit gets hacked?
Fitbit data has been used in at least 2 criminal court cases. It was used by police in the USA to demonstrate that a 90-year-old murdered his stepdaughter when the Fitbit Alta device that was wearing showed an increased rate followed by her heat stopping during the 90-year-old visited her.
The device’s data was also used as evidence in another murder case in the USA when Richard Dabate was charged with the murder of his wife. It was revealed that the Fitbit discredited his version events.
The security experts who demonstrated the acoustic interference have warned about the reliance on Fitbit data due to the fact that the device has the potential to be hacked. The question does not only concern the reliability of data but also on the accuracy of the data itself.
Wearable devices can potentially pick up accurate data that can be traced directly and unquestionably to a user, therefore revealing sensitive and private information, including the live location of the wearer in real time.
Due to the widespread usage of the devices and the lack of awareness of the potential dangers, this becomes a genuine cause for concern when the user is located in a high-security location.
Wearable devices also pose a security risk due to the fact that they are required to transmit data to a paired device such as a smartphone.
The wireless feed that transmits into a smartphone over a Bluetooth connection is a genuine security risk. As the smartphone houses such an extensive amount of data, it is actually the real target for the hackers who are looking to find a way in through a less-secure wearable device.
Wearable tech also poses a security risk to the enterprise due to the fact they introduce an easy access point for an attacker to access sensitive data related to security.
Smart Medical Devices
Wearable tech in the healthcare sector includes smart watches and monitors that collect health-related data such as cardiovascular, ECG, and blood pressure data.
Apple launched the Apple Heart Study application in 2017 to monitor users’ heart rhythms and alert those who are experiencing atrial fibrillation. The company has also released the “Movement Disorder API” to help researchers gather new insights into Parkinson’s disease.
Biosensors are an emerging type of medical technology that differs from traditional wrist trackers and smartwatches. For example, the Philips’ biosensor is a self-adhesive patch that enables patients to move around while collecting data related to their movement, respiratory rate, heart rate and temperature.
There is also the Hexoskin which is “smart shirt” that measures the wearer’s heart rate and breathing when the fabric stretches, it also has the possibility to monitor patients who have lung disease. The shirt is connected to a smartphone for the collection of the breathing data.
However, manufacturers are required to adhere to relevant legislation. Any data relating to one’s health is subject to the Health Insurance Portability and Accountability Act of 1996), which is a USA law for safeguarding the individual’s data privacy and the security of their medical information. Those companies producing these types of wearable must disassociate the data from personally identifiable information (PII) to stop it being accessed by those who do not have permission to access a person’s health records.
