Smart devices are exploding onto the scene, from smart watches to Google Glass, but security experts warn that the data they produce is a gold mine for hackers
Wearable technology is going mainstream, with around 10 million smart glasses, fitness bands and watches expected to be sold in 2014, according to consulting firm Deloitte. With the launch of Google Glass in the UK this week, public interest in the category has piqued once again, and early adopters are already exploring ways in which a tiny screen that is permanently in line-of-sight will complement the array of screens they already use.
But experts are warning that the explosive growth in wearable technology could lead to a security nightmare. Like PCs and smartphones, wearable devices create a ‘data exhaust’ that is extremely attractive to cybercriminals. However, the data created by wearable devices is even more personal and detailed than that produced by smartphones, allowing these criminals to gain an in-depth understanding of their targets.
One of the most apparently innocent forms of wearable technology is smart fitness bands – like the Jawbone Up24, Fitbit Force, Nike FuelBand or Pebble Watch – which measure a range of activities from paces walked to hours slept. While it may seem surprising that this data would be of any interest to cybercriminals, Sian John, security strategist at Symantec, claims that it can be invaluable.
For example, most people turn on their fitness trackers as soon as they step outside their front door. If a hacker can gain access to the data exhaust from one of these devices, it is relatively easy work out where a target lives, where they work, and where they stop for coffee in the morning. The hacker could then use this information to engineer a meeting and either extract information by pretending to be a friend, or steal their keys or security pass.
“It seems a little bit sci-fi, and it’s not going to happen everyone. But if someone is trying to get into an organisation they will go to extraordinary lengths,” said John.
With major technology companies planning to move into the into the wearables arena, the functionality of smartwatches is set to increase rapidly. Apple launched a HealthKit app earlier this year, which aggregates data from health and fitness trackers, and is rumoured to be working on its own iWatch. Meanwhile, Samsung already offers a range of Galaxy Gear smartwatches, and Google is rumoured to be launching a version of its Android operating system for wearable devices at its developer conference this week.
These devices will provide an even richer source of data for cybercriminals to tap into, according to John. For example, data extracted from a smartwatch that shows a person has chronic high blood pressure could be used to prove a person is unfit for work. A cybercriminal could use this information to blackmail a target, or even publicly discredit them.
“You look at people being concerned about a lot of the healthcare data that’s stored by the doctors, while at the same time bit by bit collecting and sharing that data themselves,” said John. “If you take that data and put some context and some knowledge around it, you could turn that into quite useful information.”
Without the proper security, wearable devices are also just as susceptible to hijacking as PCs and smartphones. Some devices, like Google Glass, have cameras built into them that can be used to take pictures and videos. If a cybercriminal was able to compromise one of these devices using a QR code or something similar, they could snap images, helping to build up a complex picture of where a target is, what they are doing and who they are meeting.
The wearable devices could also act as gateways to other devices, such as smartphones, or data stored in the cloud. If the smartwatch or eyewear is unprotected it becomes the weak point in the chain, giving hackers a backdoor to your confidential data.
At the most dangerous end of the scale, cybercriminals could potentially hijack the technology upon people’s lives depend, such as insulin pumps and pacemakers. Last year, former US Vice President Dick Cheney revealed that his doctor had ordered the wireless functionality of his heart implant disabled, due to fears it might be hacked in an assassination attempt – a scenario depicted in popular TV drama Homeland.
While this may seem far-fetched, John said that it was not beyond the realms of possibility. In 2012, security researcher Barnaby Jack reverse-engineered a pacemaker to deliver an 830-volt shock to a person’s device from 50 feet away – which he likened to an “anonymous assassination.” He also showed how, with a push of a button on his laptop, he could have any insulin pump within 300 feet dump its entire contents, without even needing to know the device identification numbers.
“Unfortunately it’s pretty much a history of the human race that whenever we do something, we do it first and then we think about the risk and security afterwards,” said John. “So when people are building pacemakers they’re thinking about the fact that they build pacemakers, and then they’re putting connectivity into them. But if they’re putting connectivity into them, they need to understand the risks of that from a security perspective.”
Inevitably, many cybersecurity experts are accused of scaremongering, in order to get people to buy their products. However, John acknowledges that there is very little consumers can do to protect themselves from these risks, beyond choosing strong passwords and turning their fitness trackers on at the end of the street, rather than outside their front door. It is really up to the wearable technology manufacturers themselves to bake security into their devices.
“A lot of these systems will come with the ability to secure them to some extent. If you look at even mobile phones, they all come with some security features baked in. But in the surveys we’ve done, only 50 per cent of people even enable those security features. Most of what we need to is make sure that we as an industry either build or make security easy for these devices,” she said.
“It’s when you get devices from multiple manufacturers that want to communicate, that’s when you need to look at security of communication between them, but that’s something that you will see coming, it’s not going to be there yet, it’s looking at how you extend what you can do for mobile into wearable technology security.”
She added that the key thing is not to get too paranoid, just to be aware not to over-share everything. Wearable devices may come with an inherent risk, but they also have a lot of benefits. In some cases they may even improve security, with smartwatches being used as authentication devices, for example.
‘If you do have all these different devices you can get more context about who you are, and that might help us to make you more secure. So we might have more confidence that you are who you say you are if you’ve got three or four of your wearable devices around you, rather than if you just had one,” said John.
“It’s an interesting concept, and we’d need to look at how that would be used in practice – whether you could use that for authentication, getting rid of passwords, or whether you could just use it to have more confidence in who you are as a person. We tend to always look at the negative, but the positive is that maybe we can use that to build a bigger picture.”
For most people, this will all seem a long way off, but if Apple and Google do decide to get in on the wearables act this year, things will start moving very quickly. Even if it is just a case of being mindful of the risks involved, consumers should enter this market with their eyes open, because the stakes are higher than ever before.