Cisco predicted that by the year 2020, 50 billion new wearable devices will be connected through the IoT. This increases points of connection exponentially, and that translates into a huge opportunity for hackers.
That wearable devices like Fitbits can be be manipulated through acoustic interference was demonstrated by a number of research experiments. It’s true that there are no immediate ramifications of a nefarious nature other than possibly gaming the count of one’s steps, but the researchers do warn of this: “For instance, should one trust the step count from a Fitbit as evidence for an alibi?” How can it be relied upon if it’s possible to inflate the number of steps through a hack?
This is a question of reliable accuracy, but sometimes it is the accuracy itself that poses a problem. Wearables might be picking up accurate information that is traced directly to the individual and so reveal quite a lot. (For more on wearable security, see 5 Things to Know About BYOD Security.)
For example, many wearables have a default that will update the wearer’s location in real time. This is a serious problem when that location is associated with a military base that is meant to be secret. In January 2018, The Washington Post reported “U.S. soldiers are revealing sensitive and dangerous information by jogging.”
When this location data is linked to military personnel, it reveals more about movements than the military wants made public, like the locations of military bases that are meant to be secret. This major breach of military security was brought to the public’s attention by tweets from Nathan Ruser, who noticed how zooming in on areas like Syria revealed military bases.
What Your Location Says About You
Even if an individual’s location does not reveal military secrets, it might reveal more than they would like as people connect the dots of their comings and goings. Beyond letting people who may want to know when someone is not at home in order to rob the house, detailed knowledge about where they go and how long they stay tells a lot about them – more than they may want others to know.
A recent New York Times article quoted Senator Ron Wyden, Democrat of Oregon, who is pushing for bills that introduce regulation for such tracking and the sale of the associated data that has been connected to phone companies. In his words: “Location information can reveal some of the most intimate details of a person’s life – whether you’ve visited a psychiatrist, whether you went to an A.A. meeting, who you might date.”
Even if the wearable is not set to share location, it poses some dangers to security because of the way it works to transmit data. It’s the whole chain of connection setup that creates the potential to find and exploit the weakest link to get at your valuable data.
A 2015 TechCrunch article entitled “Wearables: a Pandora’s Box for Security?” explained the dynamics of the daisy chain of data. Though wearables are somewhat limited in the data they pick up that then wirelessly feed into a smartphone over a Bluetooth connection, they do form an essential point of connection. As the smartphone itself holds a lot more data, it is the real target for hackers who can find a way in through the often not very secured wearable device.
That hackers could easily find easy targets of this sort was already demonstrated by Candid Wueest, a member of the Symantec team. He showed that a Raspberry Pi could detect Bluetooth devices in the crowd, a technique that hackers could use to track wearables.
Just accessing the mobile device that wearables work off can reveal information people may not realize is far from secure. It all adds up to a very valuable pool that has great value for hackers. In fact, the data collected and stored on your mobile device can be worth 10 times the value of a credit card on the black market, TechCrunch asserts. (Learn more about protecting your devices in 5 Solutions to Counter Mobile Security Threats.)
For the Enterprise
Wearables also introduce new points of vulnerability on the enterprise level, introducing an easy access point for an attack that could result in hackers getting hold of sensitive data. Vinay Anand, vice president of ClearPass Security at Aruba Networks described the problem in a CIO article:
As the wearables are usually connected to a variety of cloud apps and, depending on an organization’s BYOD policy, the corporate network, this can be a launch point for an attack. This means that malware and other forms of attacks can use that path to compromise the phone and then other resources inside the network. The attacker would have access to legitimate enterprise credentials that would lead to loss of, or the ransom of, sensitive data.
One form of sensitive data, of course, is information related to one’s health. On the collector end of the wearable data, anything subject to HIPAA would have to protect the privacy of the individual, so the manufacturers would be wise to find a way to disassociate the body of data from personally identifying information that could be accessed by anyone who does not have legal clearance to see a person’s health record.