As sales of IoT devices continue to see year-over-year double digit growth, security experts are urging the wearable industry to put security front and center when it comes to designing fitness tracker hardware, firmware and backend systems.
In a report released Wednesday by the IEEE Center for Secure Design, researchers spotlighted six security red flags for the wearable industry and proposed guidelines for developers to take into account to ensure security figures into how wearable devices are coded.
The report, “WearFit: Security Design Analysis of a Wearable Fitness Tracker (PDF),” argues poorly designed wearables are a security threat. The IEEE report says the popularity of wearables coupled with the amount of sensitive personal data they collect and share with third-parties make them an attractive target. IEEE’s focus for this report is on fitness trackers worn on the wrist that track heart rate, physical activity, have sensors such as accelerometers and can use a third-party device’s connectivity to upload user data to a centralized server.
One of the biggest takeaways is that wearables represent many familiar types of vulnerabilities such as SQL injection, phishing, cross-site request forgery and buffer overflow attacks.
“The vast majority of attacks target software systems regardless of the hardware. Whether it’s a wearable, smartphone or cloud application on a backend server, all of these systems use the same software systems,” said Jacob West, chief architect, security products, NetSuite, one of the report’s authors. “We see the same security vulnerabilities with wearables based on the way we use the technology.”
The report, authored by a group of IEEE members including Synopsis, Hewlett Packard Enterprise, NetSuite and researcher Tadayoshi Kohno, Short-Dooley Professor, Computer Science and Engineering, University of Washington, groups possible wearable attack categories and offers solutions on how to prevent them.
“The main goal here is to expand the focus away from just fixing bugs and vulnerabilities to include a focus on averting common design flaws” West said. “We believe that half the problems we see today are related to design issues and things that could been addressed when it was being conceptualized.”
Outlining The Threats
The first is denial of service attacks delivered by a fake firmware update that renders the wearable unusable, drains the device battery and locks users from website access to an account. A malicious firmware update could also compromise a paired mobile device such as a smartphone or laptop, according to the report.
Securing fitness data shared with third parties becomes increasingly important as more wearables become part of employer or insurer-sponsored corporate benefit programs, West said. Wearable makers need to protect against the falsification of health data via physical manipulation of the device or tampering with the data in transit, he said.
More safeguards are needed to ensure device and data integrity when a user permits or decides to restrict sharing of fitness data on social networks or with third-party marketers. The unintended consequences are exposing private health information or intrusive marketing or a nosey ex-boyfriend.
West said that personal health data is not innocuous. “Imagine a device that is tracking your heart rate and activity throughout the day,” West said. “There are scenarios where you might be able to use health information to expose or do damage to someone that wasn’t expected.” Heart rate data, West said, can reveal a range of personal activities – not just hitting the treadmill after work.
A breakdown anywhere in the wearable device’s food chain will have a wide range of implications beyond the loss of user data. Wearable vulnerabilities could also be tied to direct attacks against websites, theft of user credentials for privileged access to passthrough devices (phones and laptops) and third-party servers.
Building A Better Fitness Tracker
At issue, according to the IEEE report, is that wearable designs rely on the correct functioning of not just the device and its software, but also the associated ecosystem of hardware, software and networks such as user’s desktop computer, an unmanaged device, or a runtime or sandbox that can be tampered with by an attacker. Any one of these systems can “be inherently insecure if any of those parts are run in a potentially hostile environment,” the report states.
Avoiding flaws starts with building strong authentication of identity. “Once a user has been authenticated, a securely designed system should also prevent that user from changing identity without re-authentication,” according to the report. It suggests authentication through services that support the OAuth 2.0 authentication protocol such as Facebook or Google.
Other measures include strong password and password reset policies and the enforcement of 15-minute forced re-authentication when devices are idle. Lastly, the report advices giving a fitness tracker and its corresponding mobile application the ability to authenticate themselves during the pairing process. Doing so, the IEEE says, prevents buffer overflow attempts by attackers bent on draining resources by sending repeated, resource intensive requests to the device.
Likewise, separating data and control instructions help avoid third party injection vulnerabilities. For the majority of breaches, attackers target vulnerable software systems and wearable’s are no exception, West said.
In October, wearable security grabbed headlines when security analyst at Fortinet demonstrated a Fitbit vulnerability that could be executed in minutes within just few feet from a targeted device via Bluetooth. Researcher say they were able to inject malware into a FitBit Flex which could then infect any computer that connects with the wearable.
