It feels as if wearable technology has really arrived. Thanks in part to the popularity of personal fitness trackers, and in part to major hardware makers like Apple and Samsung jumping on the smartwatch bandwagon, it’s much more common to see a wearable device of some description strapped to your colleagues these days. But what are the security implications of an office full of these new devices? Much like smartphones created more potential security problems as the number of end-points in the enterprise multiplied, wearables are further adding to that count. These devices are Bluetooth-connected, and designed to function in tandem with a mobile app and a cloud service of some description. That leaves a lot of room for potential tampering, and some hackers have already exploited vulnerabilities in some well-known wearables. Here, we take a look at some of the vulnerabilities discovered in these devices so far.
Acer Liquid Leap
Independent researchers at AV-TEST did independent tests of several fitness trackers worn on the wrist in June 2015. While security problems were detected with many of the devices, researchers singled out the Acer Liquid Leap as exceptionally problematic. Researchers discovered that using just a smartphone capable of doing a Bluetooth scan could retrieve the information from the device that is required to pair with it. Also, researchers discovered a debugged version of the app was published to the Google Play store, making it easy to manipulate user data surreptitiously and even erase user data.
In 2013, security researchers at Lookout discovered a vulnerability in Google Glass involving its photo-capture function. Since Google Glass automatically recognized QR codes and could use them to connect with WiFi networks, it was possible for hackers to place a QR code to a malicious networks and enable easy access for spying on web request and image uploads from Glass. Google did respond by fixing the vulnerability shortly after it became known.
[photo credit: Axelle Apvrille]
Fortunate researcher Axelle Apvrille wrote a blog about giving a presentation on security vulnerabilities in the Fitbit Flex tracker and being able to output a list of audience members that were wearing the device. By communicating with the device via Bluetooth, Aprvrille is able to load malware up to 17 bytes in size – big enough for some known trojans that are in the wild. He also managed to fool the device’s step and distance count, and make its LEDs blink. Fitbit has said it’s discussed the issue with Fortinet, and doesn’t see any possibility it could be used to distribute malware.
The hypothetical wearable
With wearable fitness tracks becoming so popular, researchers from IEEE released a report Feb. 17 that examines the potential security design flaws of wearable technology by using a hypothetical device, WearFit. Based on real wearable products in its architecture and components, the device came bundled with a mobile app and a cloud-based service. Researches stressed the importance of avoiding so-called “man in the middle” attacks by having a system to authenticate identity between each layer of the wearable technology stack. Also, researchers suggest that all firmware updates require cryptographic signatures to protect against malware injection into a fitness tracking app.