Wearable technology is driving some amazing innovations – merging physical and logical worlds to improve everything from shopping to healthcare and athletic performance. But technology is a two-edged sword – new capabilities also open the door to new attack vectors. Technology is value-neutral, so the capabilities developed to make day-to-day life easier can also be used by criminals to damage and wreak havoc.
Before the advent of smartphones, daily life was very physical, and the world had a different security optic. As a cybersecurity professional, I pay attention to these changes and their implications. Physical “things” helped us navigate our lives – maps, phone booths, yellow pages, encyclopedias, cameras, alarm clocks, etc. – all of which took some effort to use, and they were not always convenient. They could not track my activities or intuit my interests. Then came the smartphone, and with it all the artificial intelligence, machine learning, and big data that we talk about. The next step is to be able to wear something that makes the information useful to me, so I don’t have to carry it – thus the advent of wearables. The wearables world is moving quickly to take over new horizons of capability.
Now, the phone in my pocket communicates with the things I wear – most commonly, my smartwatch and headphones, but increasingly it is moving to other form factor capabilities. Today my phone is the “server” for tools and apps, but it may not always play that role.
The front edge of wearables drives some promising changes, and leading the way are the fields of athletics and medicine. These fields, which are being invaded by wearables, represent giant leaps forward in the telemetry and precision of assessing performance and health. They bring the ability to track health indicators in real-time, evaluate micro-changes in performance, and they support the analysis with details. As technology pushes its forward edges, we are starting to see things that could not be done without a person – or at all – being done automatically and routinely.
But the changes are not entirely rosy. The very technology that brings these amazing promises also brings threats. What are these threats, and how do they apply to wearables? Look through cybersecurity industry reports on the frequency and vectors of attacks, and you will find numerous ways of categorizing the attacks. The vast majority of attacks, however, come down to three types: those that exploit people (usually delivered via email or the web or a combination, e.g., spear phishing, ransomware), those that exploit systems (whether through compromised physical devices, system vulnerabilities or systemic weaknesses), and insider threats (intentional or unintentional malicious activity by trusted insiders), or a combination of these.
When I rely on an app on my smartwatch to give me directions, is anyone else also relying on that app to see where I am? How do I know? If the app is tracking my vital statistics, can anyone else find that information? And who is that other person – is it someone that I approved, and are they sharing it with someone else? Wearables are a particular risk for at least three reasons:
1 – Device manufacturers and app developers ensure that the device or app works, not that the device or its data is safe.
2 – Each wearable is made up of multiple elements, and the supply chain itself may not be transparent to the device manufacturer, much less the end user.
3 – Wearables are potential threats to organizations’ information security, because, as they become smaller, less visible, and more capable, they are harder to see and track.
Going into a bit of depth into the supply chain, the nexus of a threat to wearables means that I, as a customer, am making a lot of assumptions about its safety. The same supply chain issues apply to apps that work with devices.
"The front edge of wearables drives some promising changes, and leading the way are the fields of athletics and medicine"
Besides thinking that the device actually does what it says it will do, I naturally assume that the device isn’t sharing my information. I also think it is not dangerous to me. It doesn’t overheat or have dangerous materials or components. It maintains its state in a predictable way, so when I take it off or restart it, the data stays and reflects my prior settings. This is useful in convenience wearables but critical if I’m relying on a device to monitor my health. Keep in mind that these may not be regulated devices – they can be convenience devices being used for critical functions. When it’s a watch, maybe some flaws are OK. But when it’s something that I rely on for life/safety, the stakes are higher.
And the conversation is yet more complicated; as a device owner, I rely on the reseller to sell me a device that is trustworthy, and that works. So the supply chain between me and the functionality of the device goes through designer to developer to manufacturer to distribution chain to a retailer (or a business distribution channel or a direct to end-user distribution channel). If the end seller is known and reputable, I have relatively high confidence that the product will work as advertised and that I have a recourse if it doesn’t.
If the product or vendor is less well-known, my ability to rely on the quality and available recourses declines, so my trust level decreases. But with my desensitization to compromised data, I may well decide to go ahead and buy it anyway. And as my trust level decreases, I expect that I will get a much cheaper product!
But this is not a good model. And the supply chain is only one of the threats. Consumers don’t have reliable ways to validate that the devices and apps they use are safe for them. With the proliferation of cybersecurity threats, the onus falls on manufacturers and vendors. There has been great progress in this area, and it is encouraging to see that the right questions are often being asked, but sloppy quality in the industry can affect a lot of areas. The wearable manufacturers are working to establish and maintain the trust of their customers, and providing assurances of safety, in meaningful ways, will help the field of wearables reach its potential.