Common privacy and security vulnerabilities in wearable devices


Wearables are intelligent gadgets that can be worn on the human body in different forms, such as watches, glasses, wristbands, and even jewelry, to monitor physical activities and collect data or to ease the accessibility of a paired master device.

They improve efficiency, productivity, service, and engagement in various applications, from healthcare fitness to industrial applications and entertainment and arts.

However, wearable devices present many security and privacy loopholes and other challenges in power consumption, communication capacity, design constraints, and security issues. Due to limited processing power and bandwidth, wearables usually provide less security than other computing devices.

Consequently, the possibilities for the security vulnerabilities exploited increase to an array of possible attacks that can put users’ safety and privacy at risk. They can lead to serious breaches, financial losses, safety issues, and loss of assets such as files, documents, or dynamic assets like credit card numbers if the security vulnerability is not handled properly.

Besides, due to its operations in which wearable devices function not as standalone devices but paired gadgets such as smartphones to perform most functions, communication complexity creates additional security vulnerabilities such as man-in-the-middle attacks.

Therefore, it is important to investigate the security vulnerability of wearable devices for user protection. The most common security vulnerabilities in wearable devices include unsecured transmission via Bluetooth, unsecured software communication to the Cloud via a Wi-Fi or cellular network, unsecured data storage on the Cloud, lack of authentication and authorization, and lack of physical security controls.

1. Unsecure data transmission

Wearable devices rely on Bluetooth to transmit data collected from embedded wearable sensors to integration devices such as smartphones, as currently, it cannot communicate directly to the Internet. As a result, the attacker can exploit the bug in the device to extract data stored locally, such as health-related records, by using the wearable as an access point. For example, an attacker can simply use sniffers to steal unauthorized data by detecting the broadcast signals while a wearable device communicates over Bluetooth. Consequently, there will be a loss either in terms of money, safety, or even the life of the people.

2. Unsecure software communication to the Cloud via a cellular or Wi-Fi network

This is a much higher vulnerability than data transmission via Bluetooth for local device storage. More personal sensitive data can be stolen because data sent from the smartphone’s local storage to the Cloud application is usually combined with personally identifiable information like name, email, phone number, and location to ensure that the data is sent to the correct account. Man-in-the-middle and redirection attacks, which could send data to the wrong server, are examples of attacks that exploit this security flaw. As a result, there is a high risk of losing private data and privacy and safety concerns if the wearer is identified.

3. Unsecure data storage in Cloud

Cloud refers to a public or semi-public space on transmission lines between the endpoints of a transmission. Cloud storage provides better file accessibility, which the file stored in the Cloud can be accessed at any time from any place as long as you have internet access. This could be the most vulnerable area in the wearable world due to the available Personally Identifiable Information (PII).

The data synchronized to Cloud could pose several risks, including distributed denial of service (DDoS) attacks, SQL injection, or back door attacks. Highly skilled cybercriminals typically carry out attacks on the Cloud. For instance, a cybercriminal gang was reported to steal up to $1 Billion by impersonating bank employees through malware.

4. Lack of authentication and authorization

Most wearable devices often do not have a built-in security mechanism such as user authentication or PIN system protection features, and they usually store data locally without encryption. Besides, wearable devices require higher communications security regarding encryption, data integrity, confidentiality, and other security services since it relies on an uncontrolled wireless network, either Bluetooth or Wi-Fi connection, to transfer data.

However, it is difficult to apply with higher security measurements due to its small size and limited bandwidth and, finally, results in easier to be attacked. For instance, an HP study revealed that 30 percent of the tested smartwatches were vulnerable to account harvesting, which is an attack that gains access to the device and data by looking for a weak password policy, lack of account lockout, and user enumeration.

5. Lack of physical security controls

The other security vulnerability for wearable devices is the potential for losing the device itself. The tiny size of wearable devices such as fitness band is most likely to be misplaced or lost. The lost or stolen devices will pose a risk of the exposure of the personal data information complies with its confidentiality, integrity, and availability if it has fallen into the wrong hands. Furthermore, most wearable devices often do not have a built-in security mechanism such as user authentication or PIN system protection features. They usually store data locally without encryption.