Wearable Security

Technology has advanced significantly in the past few years, including the development of wearable devices which are computing technology-based devices that can be worn on the human body, such as smartwatches.

Wearable devices have become popular in various domains such as entertainment, healthcare, and security, providing opportunities for continuous monitoring of human activity through small sensors. They have become more affordable and accessible, making them increasingly common.

Based on the research conducted on the area of wearable security by various security agencies, below are the exhaustive list of concerns that such devices are found to cause to the individual and corporate privacy/ security depending on the nature of the exposure.

These covers the risks involved with devices like Google glass, Fitbits / fitness trackers, Android/Apple smart watches.

(i) Unsecure transmission of data via Bluetooth for local device storage

An attacker in the vicinity can simply make use of sniffers to steal unauthorized data by detecting the broadcast signals while a wearable device communicated over Bluetooth.

(ii) Software communication to the Cloud via a cellular (LTE) or Wi-Fi network (for devices having that capability)

The potential loss of private data here is high and privacy and safety issues might arise due to attacks that can take place by exploiting this security vulnerability including man-in-the-middle and redirection attacks, which could cause data to be sent to the wrong server.

(iii) Insecure data storage option on Cloud

The data synchronized to Cloud could be posed by a number of risks, including distributed denial of service (DDoS) attacks, SQL injection, or back door attacks.

(iv) Lack of authentication and authorization

Most of the wearable devices often do not come with a built-in security mechanism such as user authentication or PIN system protection features, and they usually store data locally without encryption.

(v) Lack of physical security controls

The small and tiny size of wearable device such as fitness band is most likely to be misplaced or lost. The lost or stolen devices will pose a risk on the exposure of the personal data information complies with its confidentiality, integrity and availability if it has fallen into the wrong hands.

(vi) User Identity and Data Privacy risks

Embedded sensors such as cameras and microphones, capture data about the individual and also the surroundings, often without their consent. It is found that the MEMS (microelectromechanical systems) gyroscope is sensitive enough to recognize the sound and can pick up some sound waves and turn them into crude microphones. Therefore, it proves that the conversation could easily eavesdrop without user consent since iOS and Android do not require special permissions from users to access gyroscope.

(vii) Time and location-based privacy risks

GPS embedded inside wearable is able to track a person’s location at a specific time. It brings greater benefits for people to do navigation, but it also poses greater risks as well. It raises serious issues on the user’s privacy, if the location of the people can be tracked.

Below are some of the constraints because such devices don’t come pre-installed with general security measures that we have on mobile phones and other handheld devices. (Like 2F authentication / encryption etc.)

Low computing power.

Design constraints.

Limited communication capacity

Reduced device size.

Enterprise MDMs today do allow such devices to be blocked or controlled,

The first step is to acknowledge that there is a threat to their personal security and that sometimes can get escalated to the corporate as well.

Key takeaways

1. Do not download or store any sensitive confidential information onto the wearable devices.
2. Do not attempt to connect wearables having wireless access capability to free/public access points.
3. Do not attempt to connect / bridge these devices to corporate network by any means.
4. Prohibit wearable devices with sensing capacities in close proximity to vulnerable hardware or at least have their sensing capabilities turned off.
5. Activate or install loss control apps if product vendor offers one. This will protect the devices from accidently being left over, stolen etc.
6. Consider setting visibility to “not discoverable” of the wearable’s Bluetooth when not in use and use a security code/pin for device pairing.
7. Always update the devices with vendors latest firmware/fixes and look for advisories related to security and best practices from product vendors.
8. Be aware of the applications installed and the permissions attached to such applications like monitoring, granting access to cloud to store data etc. and review them frequently.
9. Monitor for any suspicious activity for devices having independent access to internet (Like LTE enabled). Look for indications like high battery drainage, high data usage, unknown apps prompting for access etc.