Thanks to their inbuilt sensors, bracelets and other wearables have become the perfect tool for monitoring our fitness and wellbeing – they inform us of our sporting progression and of how many calories we are burning at the gym. However, the growth in sales of these devices has also lead to a growth in the number of experts that warn of the risks that come associated with them in terms of data security.
The latest ones to raise concerns is a group of investigators at the IEEE Center for Secure Design in the United States, which has recently released a report about some of these threats.
The main risks, according to these experts, are based on the development of the device: those designed with less precision and care don’t usually include the necessary security specifications to protect the data that they collect. Their popularity, combined with the large quantity of information that they store, has made them a prime target for cybercriminals.
For the analysis, they have focused on the bracelets made for physical activity that measure variables such as vital signs. They also come with movement sensors such as accelerometers and they connect to the Internet to send the data to a centralized server.
The investigators claim that the attacks are directed at the software systems that control the flow of information between the device and the server. The same happens with other types of connected devices, such as smartphones or computers, which means that these vulnerabilities are taken advantage of quite often.
One of the methods that the criminals can use to access the user information is with an SQL injection. This technique means taking advantage of a security lapse to insert a malicious code in one of the IT applications that controls the database server.
Other known options are phishing and a technique which transmits unauthorized orders to a server, such as an information request. There is also the flooding of the buffer or the excess of data in an area of the hard drive, which would allow for the program that manages the storage to be modified.
Also, cybercriminals can carry out denial of service attacks via a fraudulent firmware update. The action leaves the device unusable, without battery, and blocks users from their accounts. It could also, therefore, affect other elements associated with the wearable, such as a telephone or computer.
The report highlights health data as delicate information that could be falsified or stolen by cybercriminals. Its authors affirm that more security measures are needed to guarantee that this information isn’t shared with other parties, even if the user publishes this information on social media.
The vulnerabilities of trackers could allow a cybercriminal to not only access the data of its owner, but also to launch attacks on a website and server of others.
With all of these risks in mind, the experts advise that, more than focusing on patching up the holes and vulnerabilities, it is necessary that we review the design process of wearables and analyze the whole ecosystem of software that surrounds them – from computers, to smartphones, and even data servers.