Security and privacy are the most significant and serious aspects of the adoption of wearable technology today. For instance, exploitable security flaws in mobile health (mHealth), where a wearable system is used for delivering medications or intrusive actions in a user’s body (e.g., implantable cardioverter defibrillators (ICD) with remote connectivity), can result in catastrophic consequences.
From a privacy standpoint, several pieces of research demonstrate that the data collected by the wearable sensors (e.g., location data) can be accessed or exploited to reveal certain aspects considered private for a user in a crowdsensing system. Notably, all wearable sensing systems are susceptible to similar misuse or attacks found in other Internet of Things (IoT) devices and systems.
Most security attacks on wearable technologies occur during data transport or in remote services. Unlike other IoT devices such as a computer that can be physically isolated or protected, wearable devices often lack physical security, leading to exploitation by adversaries launching spoofing attacks to submit incorrect/fake data to a remote service.
Spoofing attacks tamper with a wearable’s context or environment to make the wearable submit incorrect data. For example, an adversary could easily manipulate a mule attack on a fitness band or smartwatch to detect or register activity levels by waving their arm or tying the wearable to a rope and making the fitness band or smartwatch rotate while standing at the same location.
Another vulnerability exploited in wearable devices is the limited energy management and harvesting. An adversary can perform battery exhaustion attacks and render a wearable ineffective in executing its tasks. Unlike other IoT devices, such as desktops, where power is not an issue since they are constantly connected to a reliable power source, most wearables use non-rechargeable or rechargeable batteries and/or energy harvesting techniques.
Below, we have summarized some of the critical vulnerabilities of wearable technology.
- Limited physical security – As mentioned above, limited physical security can cause unauthorized access by an adversary without difficulty, leading to physically damaging a device, spoofing attacks, and manipulating a wearable device’s context or environment to make the device malfunction or incorrectly collect/register data.
- Limited power – All wearable devices use batteries or energy harvesting techniques. Attacks often drain these batteries and render the devices unusable.
- Weak encryption – There is substantial evidence that some manufacturers sell wearables without encryption. Weak encryption can occur due to software or hardware limitations, poor power availability, and weak programming practices. Such weak encryptions enable attackers to eavesdrop on data in transit either to another wearable or to a remote service on the Internet.
- Weak authentication – Weak authentication vulnerabilities arise when a device or data cannot be authenticated due to energy, poor design, mode of use, or user interface constraints. This may not allow the implementation of robust authentication protocols on a wearable device, leading to losing, stealing, or duplicating a physical token for a device.
- Unnecessary open ports – Wearable devices keep operating system (OS) ports/network addresses that may be exploited in security attacks or privacy violations, such as tracking users using botnets and Bluetooth.
- Software vulnerabilities – Software in wearable devices may be implemented with errors or weak programming practices that make them vulnerable to security attacks. Some of these weak practices include backdoors and errors during firmware updates. Software vulnerabilities can lead to malfunctioning, leaks in privacy, manipulation of data, or causing a wearable to execute attacks on other devices over a network (or the Internet).
Wearable sensing services may expose users to various privacy threats because the data collected by these services can be potentially linked back to users. Research on user privacy perceptions on the utilization of consumer wearables has identified privacy concerns related to social implications, criminal abuse, facial recognition, access control, social media sync, right to forget, surveillance and sousveillance, speech disclosure, and covert audio/video (A/V) recordings when using a device. These concerns can be classified into three main privacy issues categories – context privacy, bystanders’ privacy, and external data sharing privacy.
Below, we present each privacy concern.
- Social implications – Unawareness by a network of friends regarding data being collected about them
- Criminal abuse – Fear that wearable data will be used by criminals to harass a user
- Facial recognition – Association/recognition of a bystander to a place or situation where the bystander does not wish to be recognized by others
- Access control – Fear of users of third-party service providers sharing data without consent
- Social media sync – Immediate publishing or sharing by the wearable device without the knowledge of the user.
- Discrete display and visual occlusion – Notifications/information of users that might be seen by bystanders who should not have access
- Right to forget – The user’s wish to delete collected data that he or she wants to forget
- User fears (surveillance and sousveillance) – Continuous tracking of user activities that might make the user feel that no matter what they do, everything is recorded
- Speech disclosure – Capturing speech that a user or bystanders would not want to record or share
- Surreptitious A/V recording – Recording of video without permission that might affect bystanders
- Location disclosure – Fear of sharing a location inadvertently to third parties that should not have access
Let’s sum up.
Security and privacy play an essential role in research, development, and use of and trust in wearable devices. Attacks on wearable devices launched by an adversary can have catastrophic consequences for a user, mainly if the wearable device is used in mHealth systems. In addition, wearables connected to the Internet could be hacked and used to attack other systems. It creates the issue of developing wearables with a security-by-design paradigm to identify security risks and vulnerabilities during the design and development phases rather than mitigating them after cyberattacks. More research is needed to continue protecting current and next-generation wearables and mitigate emerging threats.