Why We Need to Rethink Security for Wearable Tech

As ubiquitous computing continues to become the focal point of our daily lives, it is more important than ever to make decisions about the scope of data people unknowingly share. With wearable technology, users are enjoying the comfort that comes through ambient intelligence. However, they also risk potentially exposing their private data to nefarious actors. For example, a hacker may gauge the best time to rob victims while they sleep based on their leaked heartbeat data. Hackers can also use data to discover medical conditions that can be exploited for illegal gains.

Security in wearable technology is different from the precautions people take in other settings. This is due to the increased attack surface exposed by such devices. In 2015, a vulnerability in the Fitbit wristband was disclosed that allowed an attacker to upload malicious code when the device was in close range. The code could then be transferred to any connected computer making other devices vulnerable as well.

Bluetooth is becoming the premier connectivity option for a majority of wearable devices. Unfortunately, Bluetooth is not secure, and it continues to be a weak link in the security chain. Freely available tools, such as Crackle, can be used to crack Bluetooth encryption. A solution could be to move to proprietary connection schemes. However, this would mean sacrificing the ease of use that comes with the universal availability of Bluetooth devices.

Increased exposure to being spied upon is a major concern with wearable technology. Non-tech oriented people are not expected to know if their smartwatch is listening to all their private conversations. Would they have the same level of comfort if they knew this? There are many parties interested in such data and it should be the utmost priority of the vendor to secure it. There is no reason in this day and age to not use end-to-end encryption on devices. Lawmakers should push for standardized rules that require encryption on all wearable tech. The state itself, however, is one of the parties interested in obtaining such data! Therefore, an honest effort from their side cannot be expected. Users should be aware of this and must demand that this feature is present on a device they deeply integrate into their lives.

Another problem with wearables is their potential to harm the wearer physically. Medical wearables are the most sensitive in this regard. With DDOS attacks increasing both in frequency and intensity over the last few years, it is very probable to witness a hacker knocking off an entire network of medical devices in the future. This would leave patients vulnerable. In 2012, a security researcher named Barnaby Jack showed that it is possible to deliver an 830-volt jolt using a hacked pacemaker. This increased attack surface only adds even more lethal methods to an attackers arsenal. Security guidelines should take into account limiting the power characteristics of devices worn. They should also confirm the standards while assuming the device will be operated at its extreme in case of illegal access. Many problems can be avoided if vendors abandon the workflow of building the device first and thinking about security repercussions later. They should be aware of that fact that when making a pacemaker, it is also a device that can be potentially used in unintended ways. They must adopt the mindset of using Default Deny policy instead of Default Permit.

Fortunately, the doctors working with former US Vice President Dick Cheney had the good sense to disable wireless access to his pacemaker. Others, however, might not be fortunate enough to have a dedicated team worrying for their safety. Therefore, vendors and the security community at large should set baselines for what is the expected behavior of devices in various settings, as well as their recommended communication schemes. Vendors must also identify and isolate weak links in order to limit their impact on consumers.