Wearables are atop gift lists this year as Fitbit continues to grow and Apple is expected to sell six million Watches in the next month alone. Wearable-renting company Lumoid says it receives at least one new wearable device each week saying they “sometimes can’t keep up, especially now with the holiday season coming up.”
There are more wearables on the market than ever before but experts like Good Technology’s John Herrema say manufacturers aren’t prepared to keep such a massive scale of users secure.
“Generally, it’s going to be the next platform that tens of millions of people are using and the volume will be very high,” Herrema says. “It will be interesting after the Christmas season because It will become an attractive place for hackers to look.”
The Price of Connectivity
Derek Manky of Fortinet’s threat research arm FortiGuard says attacks from the Internet of Things are, for the first time, in their global top 10 list of threats. He says the company is preparing to monitor billions more connections that it expects in the next few years. “I fully expect upwards of a 25% increase of vulnerabilities will be disclosed next year and a large attack surface in the next four years,” he says. “We’re expecting to see three times [connected devices] the amount of the human population in that time.”
But Tanium co-founder Orion Hindawi says we’re already at the point of mass vulnerability in wearables. “Some of the data is so accessible now that it doesn’t take a black hat exploit to get hacked,” he says. “We are putting computers on our wrists so the bottom line is those computers are programmable and can do a lot of cool things. The downside of that is if they’re not secure, they can do lots of cool things for someone else who wants to steal your money.”
Hindawi says up to this point, wearables have had little functionality, even gimmicky, which has helped steer hackers away in the past. “Nowadays you look at the Apple Watch or some other wearable that has GPS capabilities and they hold a lot of value now. It used to be that they can track how many steps you took but now they can track exactly where you were walking and a lot of that information is much more interesting than what used to be.”
Earlier this year, Fitbit was found to have contained vulnerabilities that could potentially lead to a hack which Fitbit later disputed. But analysts told me they wouldn’t be surprised if such a hack occurred in any wearable device.
“Right now with this world of connected devices online, they provide great reach and accessibility to any attacker in the world,” FortiGuard threat researcher Derek Manky says. “The devices that can stand on their own and have their own Wi-Fi connection a lot of times are misconfigured and directly connected to the public internet. Some of these are connected to your skin which means you’re taking it in and out of security zones and much different areas.”
Another advantage to an attacker is often connected devices are not securely inspected Manky says. “There’s a large difference between security from a code standpoint and actually securing and inspecting attacks while the attack is taking place and to apply malware which I think in-general is not happening.”
The Most Vulnerable Spots To Watch (Hint: They’re Everywhere)
The brain fitness market is expected to grow to $6B alone by 2020 and as such wearables access biofeedback, Bluetooth is becoming the go-to means of communication–or as Tanium’s Orion Hindawi calls it, “an access point” for hackers.
“The only benefit Bluetooth gives you is that the shorter distance communications protocol but in reality you can actually connect to Bluetooth device from tens of feet away which doesn’t really give you much assurance,” he says. “If somebody wants to steal that data, they will be able too. A lot of the Bluetooth devices end up connecting to something that then itself has either Wi-Fi or Internet access through LTE or some cell modem and if it’s compromised at all, it compromises feedback devices as well.”
Herrema says people don’t realize that vulnerability in wearables can oftentimes leak into other devices—part of the nature of inter-connectivity. “It can create a path to your laptop which is maybe where the more valuable and interesting information sits,” he says. “We see this where they [wearable users] can perfectly secure laptops but they were all synchronizing data up to a cloud environment where they say, ‘Oops, I forgot to have a more complex password than one, two, three, four.”
Consumers of the growing medical wearable economy should be even more concerned says SVP of CA Technologies Scott Morrison. “Anything associated with medical data bumps up the par against privacy restrictions and things like that,” he says. “It’s inherently very, very personal.”
John Herrema of Good Technology says it’s imperative to get it right as medical wearables are being pushed to the masses. “We have a bunch of customers in the healthcare industry and when they think about what wearables might mean for them and how they provide care to patients, you start to imagine scenarios with biometrics and collecting patient data actually becomes a way of engaging that user but now we’re actually talking about data that, by its very nature, needs to be secure and entirely controlled.”
Even the common sleep or step tracking could lead to easy targeting says Herrema. “If they[hackers] look at the patterns from 1 to 2 PM every day when your heart rate goes up, they know you’re probably out running or going to a gym and that would be the perfect time to rob you. They may see your sleep pattern and know, ‘Okay, this person goes to bed at pretty much 11 o’clock every night and wakes up at six so this is when we should try to break into their house.’”
Herrema says the most overlooked leakage point for accessing data through mobile devices is through the address book. “The way a lot of people create contacts in an address book, is they will drag and drop an email from their inbox over into their contacts app and that automatically adds a contact from a person with that email. A lot of times, that entire email thread will get synchronized into the notes field of that contact. Imagine that getting synchronized to a cloud and another application is asking your permission to access your address book and you’re thinking they want to access to phone numbers but what you may not realize is that all the data from emails, including possibly credit card information, could be getting synced too.”
Some of the wearable manufacturers want to add camera capability for things like FaceTime but Hindawi says that could open more doors for potential hacks. “In a really extreme circumstance, you have a wearable that’s sitting on your wrist and you are writing something and an accelerometer can replicate what you are writing. There are lots of super creative ways that somebody can use a wearable to go and take things you don’t want them to take if the security is not up to snuff.”
But FortiGuard’s Derek Manky says it would take more of a sophisticated plan of attack to get into wearables’ valuable data. “Wearables are different because they’re more dependent on communication and more likely to be compromised through an existing communications channel so something like a smart phone or smart device. They are also a lot smaller.”
The largest attacks, he says, are on Android operating systems. “If someone could get access to android device, any sort of system connected would be inherently vulnerable,” he says.
But Herrema contends that even a small smart wristband is at risk saying there are many misconceptions that lead people to think hackers are only relevant to the Department of Defense or large banks. “I think people are starting to realize that with Target, Home Depot and Sony’s salary information, these aren’t necessarily nuclear secrets but that data is still really valuable and leads to bad outcomes when the wrong people get their hands on it.”
Hindawi says that wearables have potential to actually add value to security measures if done correctly. “If I never take it off, then that means there is a real strong authentication device that proves that I am me,” he says. “If it measures your pulse that doesn’t get a pulse for a while then it shows that you took your watch off which is a form of authentication. Wearables can be tremendously valuable; the problem is if you don’t trust their security you can’t use them that way.”
Companies Are More Likely To Risk Your Data Than Wait
With hundreds of wearables on the market and only a few big-name brands manufacturing them, the risk becomes greater when the smaller guys try to keep up with the Apples and Fitbits of the world say analysts.
“Analysts predict 20-30 billion connected devices in the next 4 years and that’s not enough time,” Manky says, “If you look at new products going to market, a lot of upcoming products have a lot of flaws where they might not have update mechanisms or they are simply insecure and what we call low-hanging fruit.”
Hindawi says a lot of wearables companies tend to be smaller and lack in-house security. “I’ve been doing security for 20 years and I can tell you that a lot of these guys, when they first start, want to get to market as quickly as they can so they forget things like authentication and encryption,” he says. “They skip things like API—its the same thing with car manufacturers.”
There’s a reason companies fail at security: “It’s hard and it takes time,” Hindawi says. “It requires that during the design phrase of the product, people who really understand security be there. The easy way to do it is not the right way to do it.”
But when the holidays get closer, time becomes less of an option for some companies, he says. For Apple, if the watch doesn’t take off in the first generation, there is still going to be a second and third generation. But, for some of these wearable manufacturers, if the first one doesn’t go well, they will cease to exist. “What that means is they are willing to take risks with your data that you probably wouldn’t be willing to take. Three guys and a dog are not going to get security right most of the time.”
He says it’s especially rushed when companies are trying to get their product out in time for the Christmas. “Do they see this as an existential part of their business and are they willing to take a huge hit on potential revenue and profitability in order to implement it? I am afraid that, in many cases, the answer is ‘no’. They’re not going to be willing to wait another holiday cycle to launch another product.”
For those already on the market, there’s a likely chance it will be too hard to course-correct if some vulnerability is found says CA Technologies’ Scott Morrison. “The big problem with many of these devices is they’re very difficult to update once they’re in the field unlike your phone, which has a built-in updating system that pushes new versions out.”
If your device does get hacked and caught by the manufacturer, it oftentimes won’t create any real change Hindawi says. “I’m not in their office and can’t see what’s happening, but a lot of times the first time someone gets breached, they’ll say, ‘Well, it’s probably going to happen to another company’, or ‘this is the cost of doing business.’ There’s a lot of rationalization that you can put yourself through to make yourself feel better about it.”
Learn about what you can do to protect yourself from the experts themselves in my follow-up post.
This article was written by Jennifer Elias from Forbes and was legally licensed through the NewsCred publisher network.