A wearable is a mobile device that can be worn and conveniently carried by humans during their everyday routine. It is composed of several sensors, computing, and communication units to observe, record, and communicate some physical phenomena happening around the device. Different commercially available wearables these days include smartwatches, smart glasses, wrist bands, smart shoes, smart helmet, smart jewelry, adhesive skin patches, implants, etc. These devices are currently being used for a wide range of applications such as healthcare, sports, activity recognition, tracking, sleep pattern detection, and various fun and gaming gadgets such as virtual and augmented reality headsets and so on.
Wearable devices and personal electronic gadgets are getting increasingly popular among consumers. As per some recent statistics, market trends indicate that wearable technology is expected to hit $ 52 billion by the end of 2020, which is around 27% higher compared to 2019. The reason behind this is the ease of use wearables bring to the user with a plethora of different useful applications. For example, with a smartwatch, a user can get instant updates about calls, text messages, weather updates, meeting reminders, the number of calories burnt each day, health indicators, and so on.
Over the years, there have been significant advancements in the overall design of wearables. For example, if we have a look at the recently released Apple Watch 6, it has plenty of advanced features such as blood oxygen monitor, ECG, heart rate, sleep monitor, advanced fitness application, music, maps, cellular connectivity, rich display, and so on. On the hardware level, wearables are getting more and more powerful each day with a variety of different sensors, powerful computing units, and multiple connectivity options. However, limited battery life remains the bottleneck due to their small form factor. Therefore, manufacturers always attempt to prolong the device battery life through different hardware and software techniques sometimes also compromising on important features such as security and privacy; driven by the preference of consumers for buying gadgets that have long lasting batteries. Because, for an end-user, it is highly unpleasant to charge electronic gadgets very frequently. However, as the proliferation of wearables continues, consumers are getting more concerned about the security features of wearables.
Wearables often carry personal and sensitive information associated with an individual. The sensed information can be the user’s body temperature, heartbeat, location, steps walked, mood and stress levels, etc. Moreover, wearables can also be used for easy payments during shopping using the near field communication (NFC) instead of using the credit/debit card each time. Therefore, all these types of personal information and data that wearables generate and utilize have high sensitivity and can be prime targets for hackers and malicious attackers attempting to exploit such personal data.
Conventionally, wearables used to be standalone devices capable of performing some limited tasks. However, with the recent advancements, wearables are now equipped with multiple internet connectivity options. Most wearables connect to the internet through some gateway node; which is the user’s smartphone in most settings. However, some newer wearables are also equipped with direct internet connectivity options such as WiFi and cellular connectivity; therefore, making them more prone to security threats from the outside world. From the network security perspective, security threats to wearables can be broadly classified into three different categories namely confidentiality threats, integrity threats, and availability threats.
Confidentiality threats usually involve unauthorized attackers accessing the information being communicated to/from the wearables by exploiting the shared nature of the wireless channel that is used for communication and later on misusing the attained information. Most of the confidentiality attacks on wearables are due to the minimalistic implementations of the communication technologies by device manufacturers by skipping strong authentication mechanisms in an attempt to conserve resources.
Integrity threats aim to alter the actual information being communicated. Data integrity gets violated mainly due to the lack of both strong authentication mechanisms and data encryption techniques. Due to the large volume of data generated by wearables, manufacturers prefer to simply communicate plain data instead of applying data encryption which negatively affects battery life. Device integrity is also associated with confidentiality and if confidentiality is ensured the threats to integrity automatically reduce.
Finally, threats to availability try to make the wearable device inaccessible to authorized users such as the denial of service attack. Although such attacks are not very common, they may cause the wearable not able to pair with the gateway and/or flood the wearable device with huge irrelevant requests to make it busy and unavailable for an authorized user. Moreover, a huge number of fake queries to the wearable device can also result in quick depletion of the device battery.
Once the challenge of building a simple, low-consumption wearable has been overcome, the next challenge is to ensure it is secure. Therefore, in order to understand the main vulnerabilities to which these devices are exposed, it is not only necessary to know the vulnerabilities from a network security perspective, but also those that directly affect the device in order to efficiently apply the necessary security measures to protect the user’s information. These are described below:
- Physical access to data: Some wearables store sensitive user information on the device itself and without any encryption system. This represents a serious risk since, in case of loss or theft of the device, this data could be exposed disclosing sensitive user information and compromising the user’s privacy and security.
- Lack of encryption: Wearable devices have a very limited computing power and limited resources making it difficult to implement efficient cryptographic algorithms which do not affect the performance of the device. This implies that data must be stored and transmitted in plain text.
- Insecure connections: Wearable devices need Internet access in order to transmit the data they collect. Usually they are synchronized using the Bluetooth protocol, but it may also be the case that they can connect directly to a Wifi network. The implementation of these communication protocols depends on the manufacturers, and in some cases the entire protocol specification is not implemented due to the capacity and performance of the device.
- Vulnerabilities and updates: It could be considered one of the most critical aspects because many times these devices have their own operating system and it is not possible to update it. In case of a firmware vulnerability, this device would be permanently exposed, thus compromising the user’s privacy.
In order to address the privacy and security issues in these devices, manufacturers and security professionals should share their needs and solutions, ensuring that user data is properly protected. However, most of the current devices are not able to perform complex mathematical operations, which would help encrypt the information, due to the low computing power and insufficient resources of the device. Manufacturers opt to prioritize battery consumption and performance over the security of user data.
In summary, it can be said that security and privacy are important aspects related to wearables. However, they are often neglected by the device manufacturers due to multiple reasons: i) lack of enough computing and battery resources on the device, ii) device manufacturers trying to commercially launch the device before competitors for the sake of industrial lead and monetary gains, and, iii) cost reduction in the development process; since developing and continuously updating efficient security features is costly.
by Waleed Bin Qaim and Raúl Casanova-Marqués