Should you beware of wearables? Here’s what you should know about the potential security and privacy risks of your smartwatch or fitness tracker.
Smartwatches, fitness trackers and other wearables are fast becoming almost as familiar to us as our mobile phones and tablets. These connected gadgets do much more than tell the time. They track our health, display our emails, control our smart homes and can even be used to pay in stores. They’re an extension of the so-called Internet of Things (IoT) that’s making all of our lives healthier and more convenient, while reducing smartphone screen time that reached nearly six hours for half of Americans this year.
Unsurprisingly, it’s a market set to grow by 12.5% annually over the next few years to exceed US$118 billion by 2028. But while wearables are reaching into more of our daily lives than ever, they’re also collecting more data and connecting to an increasing number of other smart systems. It pays to understand these potential security and privacy risks up front.
What are the main security and privacy concerns?
Threat actors have multiple ways to monetize attacks on smart wearables and the related ecosystem of apps and software. They could intercept and manipulate data and passwords and unlock lost or stolen devices. There are also potential privacy concerns over the covert sharing of personal data with third parties. Here’s a quick round-up:
Stealing and manipulating data
Some of the most feature-rich smartwatches provide synced access to your smartphone applications, such as email and messaging. That could provide opportunities for unauthorized users to intercept sensitive personal data. But of equal concern is where much of that data ends up being stored. If it’s not protected properly at rest the provider may be targeted by information thieves. There’s a thriving underground market for certain types of personal and financial data.
Another key data type recorded by most wearables relates to location. With this information, hackers can build an accurate profile of your movements throughout the day. That could enable them to physically attack the wearer, or their car/household at times it is judged to be empty.
There are even greater concerns over the safety of children wearing such devices, if they are being tracked by unauthorized third parties.
It’s not just security risks that users have to be alert to. The data your devices collect may be extremely valuable to advertisers. And there’s a roaring trade in such data in certain markets, although it should be tightly regulated in the EU thanks to legislation introduced in 2018. One report claimed that revenue made from data sold by health device manufacturers to insurance companies could reach US$855 million by 2023.
Some third parties may even use it to create advertising profiles on wearers and sell it onwards. If this data is stored by multiple other downstream companies, this presents a greater breach risk.
Unlocking the smart home
Certain wearables could be used to control smart home devices. They might even be set up to unlock your front door. This presents a major security risk in the event devices are lost or stolen and anti-theft settings aren’t enabled.
Where do device ecosystems fall short?
The device you wear is only one part of the picture. There are actually multiple elements—from the device firmware to the protocols it uses for connectivity, its app and back-end cloud servers. All are susceptible to attack if security and privacy haven’t been properly considered by the manufacturer. Here are a few:
Bluetooth: Bluetooth Low Energy is typically used to pair wearables to your smartphone. But numerous vulnerabilities in the protocol have been discovered over the years. They could allow attackers in close proximity to crash devices, snoop on information or manipulate data.
Devices: Often the software on the device itself is vulnerable to external attack due to poor programming. Even the best designed watch ultimately has been built by humans, and therefore could contain coding errors. These can also lead to privacy leaks, data loss and more.
Separately weak authentication/encryption on devices may mean expose them to hijacking and eavesdropping. Users should also be aware of shoulder surfers if viewing sensitive messages/data on their wearables in public.
Applications: The smartphone apps linked to wearables are another avenue of attack. Again, they may be poorly written and riddled with vulnerabilities, exposing access to user data and devices. A separate risk is of the apps or even users themselves being careless with data. You may also accidentally download impostor apps designed to look like the legitimate ones, and entering personal information into them.
Back-end servers: As mentioned, the providers’ cloud-based systems may store device information including location data and other details. This represents an attractive target for attackers looking for a big pay-day. There’s not much you can do about this apart from choose a reputable provider with a good track record on security.
Unfortunately, many of the above scenarios are more than theoretical. A few years ago, security researchers found widespread vulnerabilities in kids’ smartwatches which exposed location and personal data. Previous to that, a separate investigation found many manufacturers were sending unencrypted personal data from children using the products to servers in China.
Concerns persist to this day, with research showing gadgets susceptible to manipulation which could even cause physical distress to the user. Another study claimed that hackers could change passwords, make calls, send text messages and access cameras from devices designed to monitor the elderly and children.
Top tips for locking down your devices
Fortunately, there are several things you can do to minimize the risks outlined above. They include:
- Switching on two-factor authentication
- Password protecting lock screens
- Changing settings to prevent any unauthorized pairing
Protect your smartphone by:
- Only visiting legitimate app stores
- Keeping all software up-to-date
- Never jailbreaking/rooting devices
- Limiting app permissions
- Installing reputable AV software on the device
Protect the smart home by:
- Not syncing wearables to your front door
- Keeping devices on the guest Wi-Fi network
- Updating all devices to the latest firmware
- Ensuring all device passwords are changed from factory default settings
- Choosing reputable wearables providers
- Taking a close look at privacy and security settings to ensure they’re configured correctly
As wearables become a bigger part of all our lives, they’ll become a bigger target for attackers. Do your research before buying, and close off as many avenues for attack as possible once you boot up the device.
written by Phil Muncaster, ESET