We all like our gadgets, whether they have some form of smart technology in them or not. Wearable technology is also very popular.
What is wearable technology?
Wearable technology is simply a technology, or device, that you can attach to your body. This can be:
- Smart Watches, including the non-smart kind
- Fitness Trackers
- GPS Trackers
- Ear buds/headphones particularly the wireless kind
- Virtual Reality headsets
- RFID Tags used in races to track when you crossed the start.finish.
Wearable Technology often links via the internet, cellular network or Bluetooth wireless connections to apps on computers, tablets or smartphones. Many have sensors to collect physical, biological and location information.
Some of the emerging technologies are (as of writing):
- Digital glasses
- GPS-enabled cameras
- Clothing, including headbands and caps
- Rings and bracelets
- Hearing aids, contact lenses and other health-related devices.
- Augmented reality glasses (e.g. Hololens, Magic Leap and the ‘prophesied’ Apple AR glasses)
- Haptic suits (which provide physical sensations when playing games or doing some other activity e.g. driving a robot).
The categories of wearable devices is quite broad. Wearable technology also fits into the general Internet of Things (IoT) category.
When you pair these smart devices to your smart phone, or they have their own connectivity, they become part of a much wider eco-system.
Pairing with other Devices
When we pair our smart devices to a smart phone or PC, we are normally using Bluetooth radio to do this. This is a wireless technology that uses typically short range radio waves to communicate with your device. If you want to understand more about Bluetooth, then there is a very good Wikipedia article that covers this in more detail.
The pairing process between the device and your phone is probably the most dangerous time as you have to be sure you are pairing with a device you have control over. The best advice I can give you is not to do this in a crowded location, but probably at home where you know the devices around you.
As an exercise, go to a crowded place (e.g. a coffee shop), switch on Bluetooth and see how many devices show up as pairable devices. Now do the same when you are at home and see in both locations how many devices are showing up.
The best way to pair a bluetooth device is to enter a security code on the device you are pairing that is provided by your phone. Of course, unless your device has some form of data entry (e.g. a virtual keyboard) this isn’t possible and the pairing process can be insecure. There have been various vulnerabilities documented and these normally occur in the pairing process. These can be simply hijacking the connection to allow for greater invasion of the device or the smart phone, as well as the propagation of malware. Bluetooth is also vulnerable to denial-of-service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation style of cyber attacks.
Once the device is paired then we have to assume that the communications are encrypted between the device and your smart phone. Prior to Bluetooth v2.1, encryption is not required and could be turned off at any time. After Bluetooth v2.1, this was resolved by:
- Encryption is required for all non-SDP (Service Discovery Protocol) connections
- A new Encryption Pause and Resume feature is used for all normal operations that require that encryption be disabled – this enables easy identification of normal operation from security attacks.
- The encryption key must be refreshed before it expires.
We are now up to Bluetooth v5 (the latest as of writing was v5.1 released in January 2019) and any device not supporting the latest version of the protocol should be considered as suspicious and not used since the vulnerabilities the latest version closes will in all likelihood be in the device.
If you have connected your device via a cable, then most of these concerns do not exist.
Some devices have their own connectivity via the cellular network and don’t require to be paired with a smart phone to acquire their smart’s. Cellular connectivity is fairly secure, so this is not something I am going to explore here.
What information are these devices gathering?
A wearable device can track all manner of data. For example Fitness trackers will track:
- GPS Location, tracking where you have been
- Movement, including how many steps you are taking
- Heart Rate
- Blood oxygenation
- What activity you are doing (e.g. running, weight training), normally inferred using some form of machine learning or AI
- Number of calories you are burning
- Sleep tracking.
These devices will also provide prompts when they detect you haven’t been moving for a while.
In addition smart watches may also track:
- SMS/Instant Messaging alerts
- Any apps you run on your smart watch and/or your phone
- Mobile Payments.
These devices are monitoring you 24/7 and provide a very accurate profile of what you are doing and where you are and have been. If you are an athlete where you need all data to determine peak performance, then this is OK (I guess). However, these devices are being widely used by regular individuals.
The concern here is the availability of this information and how it is used by the company concerned. Normally an app on your smart phone, or a website, will enable the collection of the information on the device. In the case of a tracker/smart watch, this information can be used to provide you with fitness/activity profiles for free. However, once that data is stored in the company’s cloud, it can be used for other purposes, such as:
- Marketing, including generating demographics for future sales and features
- Aggregating information and selling on anonymized data to third parties.
This is another case where if you are not paying for a product, you are the product.
Data stored in the cloud needs to be stored securely. This information is highly personal, and when stored in the cloud provides a detailed record of your life. If that data were to be disclosed in a data breach, the cyber criminals have a detailed record of your activities that can be used for other cyber crimes/attacks. More to the point, if the device is GPS enabled, they know exactly:
- where you are at each part of the day
- when you leave your home and arrive back
- where you work
- What shops/coffee houses you attend
If you lose the device, this data can also be retrieved by cyber criminals by just pairing it with their own smart phone. You need to look into whether the service/device can remotely disable the device when next connected to their cloud.
You have to ask yourself whether or not you trust the service you are uploading the data to. If you are using services provided by reputable companies (e.g. FitBit, Garmin, Samsung, Apple) then you could assume that your data is safe. However, you should always read the terms and conditions of the service you are using (even for the big 4). This should be standard practice if you have read other blogs on this site. In the T&C’s there should be a description of the uses of the data and you should also be able to limit use of your data within the various apps/websites.
If you are using a device provided by some other company, then be suspicious. There have been cases reported where companies use data without permission.
The biggest risk is in oversharing information. A lot of these devices have a social networking feature where you can link through a social network with your friends which gives then access to sleep patterns, exercise times and locations and other health information. If an uninvited person links to you via the social network, they will have access to the same information. This could be particularly risky in some situations, for example:
- An over-controlling ex partner
- Cyber Stalkers.
These devices and social networks are a treasure trove of personal information about you.
If we assume you are going to use the social network feature of these devices, then you have to make sure the people you are giving access to this data are trusted. I would also suggest you look for ways to limit the amount of data given out, even to your friends. The safest way is not to share at all, but we all know that is just not going to happen.
Wearable technology is a boom area, and this category of device will extend in the coming years. This may also include devices we implant into our bodies to provide many of the features fitness trackers do today as well as smart clothing.
How should we use today’s devices safely? Here are a few pointers:
- Make sure you have paired with your device securely and with a device that you have control over
- When not in use, make sure the device is stored securely
- Monitor who you are sharing data with and where necessary limit the amount of data you share
- Monitor what information your devices are gathering and if there is anything you would prefer not to be tracked, then switch that feature off (if you can)
- If you use a company provided device, make sure you understand what information they are gathering and what they are using it for
- When you stop using the device, make sure you dispose of it securely, preferably by wiping all data from the device and disconnecting it from the online service
- Disconnect the device from your smartphone/PC when you are not syncing data – this will give better battery life, but also reduce the cyber attack surface
- Make sure you are using a service from a company with a reputation and that they securely store your information
- Investigate whether the device is supported for security fixes (similar to your smart phone or PC)
- Always read the Terms and Conditions and any permissions for the use of the data collected
- Secure the online account using a complex password and at least 2-factor authentication as credential stuffing attacks are rife
- If you pass on the device to a family member or friend, or sell it, make sure any identifiable information is wiped securely and if this is not possible, then don’t sell it on.
When you have stopped using the device it is often better to destroy it so that any residual data cannot be retrieved. In addition, when you stop using the online service, you should be able to:
- Extract all your data from the service, which may allow you to import it into a new service
- Delete all information held by you on the service
- Delete your account at the service provider.
Both of these are required under the EU’s GDPR regulations.