Just as the 1990s were embodied in floppy disks, compact cassettes and rotary dials, today’s symbolic attribute is wearables. Owing to tremendous advances in the Internet of Things market, more and more people are interested in tracking their daily activities.
Chasing life optimization and a healthy lifestyle have become a global trend that is now integrating itself into pop culture. Demand for the wearables market is measured by the billions of apps and devices now in use around the globe. “I just ran 5.01 km @ a 6'45" pace”; “Burned 274 calories doing 35 minutes of elliptical trainer”; “Early wake-up success rate: 93%.” These are random examples of what people want to track using wearables—in order to stay fit, diagnose diseases, review behavior changes, keep up with goals or simply share their life’s successes through social media.
Advanced technology doesn’t necessarily mean safe technology, however—that’s why wearables also face risks peculiar to all mobile devices. Unfortunately, self-tracking services are often developed without considering the fact that the information they collect could be used against their owners. The very devices may be vulnerable by design: they analyze information we tend to consider unimportant. A Symantec scheme visualizes what information should be treated with greater care and attention to avoid security risks.
In fact, there are three separate components in a single system:
- Wearable device
- Device you transmit data to (e.g., smartphone)
Thus, attackers have three vectors to invade your device. In the first case, since data from wearables is transmitted to your phone, access to personal information can be obtained through malware on your gadget, or even by merely stealing it.
The second vector appears to be the most common one, as it uses the algorithm that primarily enables targeted advertising: an attacker monitors connection channels (usually a Bluetooth network). Unlike targeted advertising, though, the attacker then creates man-in-the-middle conditions or collects anonymous data about people from their wearables when they are in easy reach.
Last but not least is the third and the most dangerous situation: when an attacker intentionally hacks a user’s cloud account and compromises the entire system.
Alright, you say, someone has stolen my self-tracking information, but what’s the harm? It’s just the amount of miles I ran, right? Businesses collect information about their target audience, their habits and their behavior to compile comprehensive dossiers or offer specific services. For instance, they may track your locations and pace to determine outfits or sports equipment that may fit your interests. A good example would be the well-known ads in social networks popping out wherever free space is; these ads are based on the pages you like, groups you join, services you subscribe to, links you click or even the content of messages you write. But your clicks and browser history may tell much more than you think—and some people may want to exploit the knowledge of your habits, personal connections, likes and dislikes, and so on.
Here are three cases of how your information might be used against you.
Unlawful Entry and Stalking
Sometimes, an allegedly harmless check-in may have drastic results. Over the long term, the places you visit can be collected and analyzed to find out about your lifestyle and habits, and then predict where you will end up on a Friday night. Or, to put it even more frankly, burglars may just check to see whether you are at home.
A recent Internet story tells the tale of a woman who shared news about going to a concert and came back home only to find out she was robbed. So, before sharing your endless excitement about an upcoming vacation and checking in at the airport, make sure your house is secure.
The iCloud nude photo scandal once again proved just how dangerous any private information may turn out to be. Attackers do not necessarily need your photos, however—they may be completely satisfied with the information you are tracking.
Again, you may ask, how would anyone blackmail me because of my, let’s say, heart-rate data? Imagine a politician using a health-care related wearable. For a particular reason, some attackers watch the activities of this politician and get ahold of his health information. Using social engineering or some malicious software, they have the potential to influence the data generated by wearables and make the said politician think he is suffering from a health condition, distracting him from an election or important matters at hand.
Health Danger: Life-Threatening Attacks
This last risk is least probable, but it is potentially the most dangerous and can even be fatal. Barnaby Jack’s experiment showed that by attacking health devices, such as pacemakers and insulin pumps, it is possible to increase the voltage of the pacemaker or the insulin dose and kill a person.
Quo Vadis, Wearables?
The growing demand for wearables enabling multiplexed self-tracking is quickly becoming a driving force for a new level of technology development. Among the most recent innovations is the MindRDR application, a module that monitors brain activity and facilitates management of Google Glass, basically enabling control using the mind.
Every innovation encounters security problems, however. In particular, because it connects all sorts of devices into one system, the Internet of Things’ main security risk is the fact that misuse of or an attack against one element can compromise the entire system.
Chasing the self-tracking trend, many people forget about the security of their private data, and as a result, they forget about protecting their physical safety as well. The main countermeasure is rather simple: stay alert and follow the basic rules for wearables security. No matter how reliable your service provider or device seems, trust but verify, and remember that any data you track, save and share could be used against you, if not secured properly.
About the Authors
Nazar is a highly-regarded IT security and network infrastructure expert. He specializes in many security disciplines including computer forensics, malware analysis, intrusion detection and mobile-application security assessments. Nazar holds a Ph.D. in information security from the State University, Lviv Polytechnics. Stanislav specializes in network solutions development and specifically focuses on security-related challenges. He holds a bachelor’s degree in information security from the State University, Lviv Polytechnics.