The Security Implications of Wearables, Part 1
The Internet of Everything has given rise to new gadget categories in every electronics retailer shop. Smart wearables are rapidly becoming more commonplace than you think. While not everyone has Google Glass, you can bet that a lot of people have fitness trackers and even smart watches.
With ‘wearable devices,’ we mean those pieces of equipment that people can have on themselves as they go about their day. The purpose of these devices is usually measuring bodily functions or serving as output of other devices. These two functions can overlap to provide a more rounded experience of the user’s everyday reality as it happens.
In this series of posts, we are going to review possible attacks and risks associated with wearable devices. Bear in mind that these are largely theoretical and/or conceptual. They are not current attacks and therefore they may or may not happen depending on how the electronics market evolves and how other attack vectors keep criminals on different juicier targets. Our intent here is not scare users into avoiding this new device category but to encourage vendors to add security in them from the get-go.
The Three Categories
There are three very broad categories that we can use to describe what we are talking about.
1. The ‘IN’ devices. These are sensors that capture a user’s data at all moments. Here, we find fitness sensors that measure the user’s steps, distance, effort, calories, heartbeat, GPS coordinates, etc. These devices usually store the information locally in the device and synchronize with mobile phones or PCs to upload that data and afterwards to the user’s cloud account for historical logging and statistical display. Future devices that we have not yet seen are medical devices that could monitor health parameters, such as body temperature, oxygen in blood, etc.
2. The ‘OUT’ devices. These are devices that output data coming from other devices, usually mobile phones. Here, we find smartwatches and the like, which are able to display texts and any application data for ease of use. Data displayed usually comes from internet sources by means of the intermediate device.
3. The ‘IN and OUT’ devices. These are devices that capture data and use filters to display it differently. In here we find display devices such as Google Glass that have cameras that capture reality but they also feed data to the user by means of retina projection. These devices have the ability to enhance the user experience by filling in information on top of reality. Simpler devices also act as ‘IN and OUT’ by both gathering user data (steps, distance, etc.) and streaming data from their companion mobile phone.
While these are distinct categories, the tendency is for devices to coalesce into IN and OUT because makers want to add as much value as possible. One example would be devices that record fitness information but also notify users of text messages, events, and other information from mobile devices.
The Security Standpoint
From a security standpoint, it’s hard to say which category is more secure than the other. This is because the difference among the categories is primarily about attack vectors. The more things a device can do, the most possibilities exist for attackers. In this case, IN and OUT devices have a larger attack surface, and the most potential for attacks. However, this doesn’t mean that they are more unsecure. Security will depend on the implementation and the “track record” of the device. By track record, we mean the amount of attacks it has withstood over time. For newly introduced devices, cybercriminals may take a longer time to “test” them. However, as devices mature over time and hackers fully understand the inner workings of these devices, the platform isn’t as secure anymore.
In the next blog posts, we will look at the possible attacks and risks associated with wearable devices.
For more information about wearables and other smart devices, you may visit our Internet of Everything hub.