Risk Analysis of Wearable IoT Devices Kinnari Surve ECE530:Fault Tolerant Computing Colorado State University Fort Collins,USA [email protected]
com Abstract—Wearable devices are means to connect real lives to digital lives seamlessly. As the world becomes increasingly connected through these devices, little thought has been given to device security and user privacy. Proliferation of these devices has lead to struggles for the researcher and technology developer to find improved ways to transfer data to and from wearable devices and to keep all the information safe. In this paper, we will survey some security and privacy vulnerabilities in wearable devices and how they can be exploited. Keywords—Wearables, Security, Privacy I. INTRODUCTION “Wearable Technology”, “Wearable Computing”, “Wearable Devices” or just simple “Wearables” all refer to smart electronic devices have become ubiquitous in day-to-day life. These smart devices can be integrated into accessories or clothes and worn effortlessly on body.
Such devices can not only perform tasks comparable to smartphone but can also sense and provide wearer’s actionable records in real context 1. Wearables has following characteristics: 2 • hands-free (unrestrictive):in order that customers can do different thing whilst using the wearables. • always on (controllable): it is a responsive device as it is constantly in the ON status, so users can seize control of it at any time.
• environment-aware (attentive): wearables are environmentally conscious, multimodal and multisensory. • attention-getting (observable): it can hold users continuous attention whilst users need it to which includes receiving alerts, messages or reminders. • connected (communicative): they are connected to a wireless network so that data exchange can occur in the real-time scenario. • un-monopolizing, which imply it does not cut users off from the outside world. The finest ease, variety of advantages and an increasing number of vital services provided to wearable consumer result into the rapid proliferation of wearables paradigm.
As seen in Figure 1, the wearables are increasing with 33% CAGR every year 3. By 2020, there will approximately 411 million wearables available in the market. Note that almost 50% volume is account by fitness trackers. Some examples of already universal wearable devices thriving in the market are Smartwatches ,fitness trackers by Fitbit , Google Glass( an augmented reality device) and Emotiv headset( a wearable brain-pc interface primarily based on electroencephalography technology), GPS pet Tracker(a wearable for a pet to track its vicinity) and few of the upcoming wearables are Google’s smart contact lens, Studio Roosegaarde Intimacy 2.0(a smart dress that senses the closeness of a wearer with a bystander), Netatmo JUNE(a device that measures the real-time UV exposure).
Unfortunately, the security research has not kept up Figure 1. Global wearable forecast 3with this explosive growth leading to an increasingly large number of critical vulnerabilities and exploitations related to wearables 4. A recent HP report suggested that these devices tend to have 25 notable security flaws and 60% have at least one such flaw which results in cyber-attack 5. Many of these devices store stores logs of data and sometimes can be transmitted to third party users without a notification to wearer. Data recorded in such way can further be freely available and be used as evidence for/against in legal settlements 6 In this paper, we will cover some wearable security and privacy vulnerabilities and how these vulnerabilities lead to an attack.
Section II will cover Security and privacy requirements, followed by vulnerabilities and attacks in Section III. II. REQUIREMENTS Following security and privacy requirements are considered while designing wearable devices: A. Security Requirements: 8 1) Confidentiality: Only the authorized parties (i.e., a certified user; a licensed partner tool, like a smartphone or laptop; or a certified online server, if any) should be able to access the data recorded by the wearables, the records transferred to/from the wearables, and the device structures of the wearables.
These authorized parties must be verifiable (i.e., the identity of the wearer or the associate devices communicating with wearables or on-line server must be authenticated). Especially, data must stay private all along the way from wearables themselves and associate devices to the web services (if any). 2) Integrity: Unauthorized parties must not be able to alter the information recorded by the wearables, the records transferred to/from the wearables, and the system structures of wearables. An adversary must not be able to inject false data or alter or delete the recorded or wearable-relevant records. in addition, the adversary must not be capable of alter or update a hardware/software component of the wearable device.
3) Availability: Only the authorized parties must be able to access the data recorded via the wearables, the data transferred to/from the wearables, and the system structures of wearables when requested. In other words, wearable devices must be resistant towards any form of denial-of-service (DoS) attacks. for instance, they must be invulnerable towards battery-draining attacks, storage-overflowing attacks, or jamming attacks on communication channels. 4) Authentication: The authenticity of the wearer must be confirmed using a viable authentication scheme.
only a legitimate owner of the device must be allowed to access the tool 5) Access Control: The use of data/information recorded/saved on the wearables must be managed using access regulations. Only a legitimate user having legitimate access rights ought to be allowed to access a specific piece of information associated with a wearable device. 6) Nonrepudiation: It must be ensured that the wearables cannot deny being the origin of the data that they generated. B. Privacy Requirements:7 1) Device ID Privacy: Unauthorized parties must not be able to track the wearable device by its device ID such as RFID, Bluetooth device address or MAC address. 2) Device Log Privacy:Unauthorized parties must not be able to access the device log or records stored on wearable device or shared with system structure on communication channel. Device log includes sensitive data such as daily activities data, PIN/Password or any text input on computer. 3) Wearer ID Privacy: Unauthorized parties must not be able to extract wearer’s identification or learn about learn about sensitive information of wearer which includes name, location, audio or video of wearer or medical diagnosis in case of medical device.
4) Bystander Privacy: Unauthorized parties must not be able to use the wearable to identify/capture/derive any kind of information about the individuals in the vicinity. III. VULNERABILITIES AND ATTACKS A. Security Vulnerabilitieas and Attacks: Security vulnerabilities leads to critical breaches and losses.
Breaches can be access to private documents or sensitive information like credit card information and loss includes financial loss or safety issues. Moreover, consumer’s trustworthiness towards the wearables will decrease and discourage individuals to get their own wearable. Therefore, it is vital to analyze the security vulnerabilities for user protection. Following are some of the most common security vulnerabilities in wearable from attack surface shown in Figure 2: Figure 2: Generic Data Acquisition Architecture in Wearable Technology 91) Unsecure Bluetooth transmissions: Since most wearables cannot directly connect to Internet, they use Bluetooth to transfer the data or log accureed from embedded wearable sensor to the local/ central device(smartphone) as seen in Figure 2.9.
For instance, an attacker can easily use a sniffer to access unauthorized data by sniffing the broadcasted signal by the wearable device to the smartphone10. As a consequence to this sniffing, there may be loss either in term of monetary or safety of the wearer. 2) Unsecure Cellular or Wi-fi Network: This transmission of data is more susceptible than the Bluetooth transmission as the data is often combined with personal identifiable information to ensure data is being dispatched to correct account. The transmission here is vulnerable to man-in-middle attacka and redirection attacks which can reveal PII such as name, email, telephone number, PIN, etc by reading user’s hand/finger movements while providing inputs 11,12 3) Unsecure data storage on Cloud: Often data accured from wearables is outsourced to cloud or third party service or automatically synchronised with social media.
Moreover, sometimes the user can utilize the device properly only after agreeing to service policies which grants the application to synchronise the data with cloud or third part services without user being aware14. Further, this data on the cloud can be vulnerable to Distributed Denial of Service Attacks, SQL injection attacks or back door attacks 15.There has been reports of upto $1 Billion stolen by impersonating bank employee through use of malware 16 4) Unfettered Access:Due to design constraints such as small size and limited bandwidth, this devicea lack security mechanism for authentication and authorization. They depend on uncontrolled wireless network either Bluetooth or Wi-Fi to transfer data making them vulnerable to account harvesting. 5) Lack of physical secuirty: This small devices such as fitness bands can be easily stolen or misplaced.Since this devices are not protected by any security mechanism, the data stored locally can be easily accessed and misused. B. Privacy Vulnerabilities and Attacks: According to survey conducted by Apadmi 17, as seen in figure 3, 42 percent considered wearables to be threats to privacy, 18 percent said they did not consider it as privacy threat and 40 percent were don’t knows.
This implies that consumers worry about the potential exposure private data captured and stored in wearables. Not only are these devices saving our private data but also the data about our surrounding and they are able to do it continuously and discretely. The privacy vulnerability and attacks are classified as follows: 1) User Identity and Data Privacy: “Life-logging” wearable embedded with camera, microphones, capture large number images, audio/video everyday, which may not only include data about the wearer but also about its environment and bystanders. Audio/Video logs can capture uncontolled data about the bystanders and therefore poses privacy challenge such as surveillance19. Also, these audio/video log can be easily hacked as these devices has no strong encryption. Also, it is forund that a simple gyroscope can be used as crude microphone to eavesdrop 18.
2) Time and Location Based Privacy: GPS enabled wearables can log timestamps and locations. Although these devices can be of great use in navigation, they also pose greater privacy issues. It is found that even though there is no built-in GPS sensor in Symantec, it can broadcast location information without the wearer being aware 20. IV. SECURITY ANALYSIS ON REAL EXAMPLE OF WEARABLE DEVICE. As seen above, that more 50 percent of wearable devices consists of smart-watches and fitness tracker and most of these devices are vulnerable to Bluetooth attacks.Let us investigate this vulnerability. Figure 3: Survey Results of “Do You Think Wearables Poses Threat to Privacy 17 Figure 4: GAP ProtocolA.
Background: Bluetooth LE (BLE) is used for the smart devices operating on same frequencies but with lower power contraints, low cost and multi vendor operatability.It uses two protocols for communication: 1) Generic Access Profile (GAP): As seen in Figure 4, Wearable broadcasts advertising data packet over advertising intervals. Central device in the vicinity if interested in the packet sends Initiate GAP Connection Request to which the wearable replies with Initiate Pairing Response. During this protocol Device ID is shared and pairing is initiated. If the central device need some extra information before pairing it send a Scan Response Request, to which wearable replies with Scan Response Data. 2) Generic Attribute Profile (GATT): In this protocol wearable and smartphone communicate by sending request/response packets after pairing.
If the wearable need to alert or notify central device it sends out an Asyc Event. In this protocol, the packets includes the information about the data as well as the data along with encryption key used to identify the device. B. Vulnerability: Since the advertising packets in GAP are broadcasted, any device in the vicinity can access this packet and connect to wearable leading to security threat. C. Attack: A HCI snoop log application was used in 9 to sniff out the encrypted as well as unencrypted log from Samsung Gear S3. The sniffer could obtaine the MAC address once it got the Long term encryption key and enabled to breach owner’s email, SMS , etc. as seen in Figure 6 According HP report 22, on top 10 smartwatches, 100 percent of tested smartwatches contain significant vulnerabilities which includes lack of encryptions, poor authentication and privacy issues and only 50 percent of smartwatches had provision for screen lock by either pattern or six-digit-PIN 22.
However, even this lock code can be deciphered by brute force attack using a sniffing tool 23. V. DISCUSIONS TABLE 1: SUMMARY OF VULNERABILITIES AND ATTACKS ON WEARABLES Device Security Vulnerabilities Attacks Google Glass Unsecure PIN or authentication Guesture based authentication recorded by individula closeby Images/Audio/Video recorded without ser’s consent Eavesdropping and spyware Unsecure network Wi-Fi hijacking, man-in -middle attacks Fitness Trackers Lack of Authentication DDoS Attacks, Data Injection attacks, BLE Advertising Tracking, sniffing Location and timestamp logs phishing Smartwatches Unsecure Authentication Brute force attack As seen in Table 1, most wearable devices lack the authentication to secure them even though it contains huge Figure 5: GATT Protocol 9 Figure 6: Snoop log plain text disclosure 9ammount sensitive data. Since this are low powered small sized devices, password or PIN based authentication are difficult to implement due to lack of keyboard or touch screen. Wearabale are constantly ON and are continuously capturing data and transmitting to central device even in unsecure environment.
Therefore, it is critical to implement authentication mechanism on these devices as consequences of compromised wearable introduced to workplace can lead to severe data breaches and financial losses. VI. CONCLUSION Demand for wearables is ever increasing and the proliferation of IoT has resulted in explosion of application of wearables to various domain of lives viz commercial, personal and medical. Everyday new advancements in technology leads to increase in volume of wearable in the market. As these devices out-perform some of the older smart device, consumer buy new improved device even though they have older versions of same device and hence the older version are rented out, resold or retired. Although this advance technology benefits individual it still has some security and privacy loopholes. We need to figure out how to decommission the old device without disclosing the data already store on it or to reset the whole device. Strong user policies need to be implemented to ensure user data security and privacy.
VII. REFERENCES 1 Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J. and Elovici, Y.
, “Advanced security testbed framework for wearable IoT devices” in ACM Transactions on Internet Technology (TOIT),2016, Volume 16(Issue No.4), Article No.26. 2 Viral M. (01 Apr, 2012). “Wearable Computer.”Online Available: http://www.slideshare.
net/fbviralmehta/wearable-computer-12242345. 3 Paul Lamkin (17 Feb, 2016) “Wearable Tech Market To Be Worth $34 Billion By 2020” Online Available: https://www.forbes.com/sites/paullamkin/2016/02/17/wearable-tech-market-to-be-worth-34-billion-by-2020/#59b1f53c3cb5. 4 Linda Lee, Serge Egelman, Joong Hwa Lee, and David Wagner.
2015. Risk perceptions for wearable devices. arXiv preprint arXiv:1504.
05694. 5 Hewlett Packard Enterprise Analyst Report (12 June, 2017)”HPE Locks Down Server Security” Online Available: http://www.moorinsightsstrategy.com/research-paper-hpe-locks-down-server-security/ 6 Reihl, Damien, “Sensors, Wearables, and Liability: The Brave New World of loT ” in 84 Hennepin Law. 7 , 2015, p7-11 7 Motti V.G., Caine K.
“Users’ Privacy Concerns About Wearables”. In: Brenner M., Christin N.
, Johnson B., Rohloff K. (eds) Financial Cryptography and Data Security.
FC 2015. Lecture Notes in Computer Science, vol 8976. Springer, Berlin, Heidelberg, pp 231-244 8 Di Pietro, Roberto, and Luigi V. Mancini. “Security and privacy issues of handheld and wearable wireless devices.” Communications of the ACM 46, no. 9 (2003): 74-79.
9 Cusack, Brian, Bryce Antony, Gerard Ward, and Shaunak Mody. “Assessment of security vulnerabilities in wearable devices.” (2017). Proceedings of the 15th Australian Information Security Management Conference, pp 42-48 10 Lotfy, Kerolos, and Matthew L.
Hale. “Assessing pairing and data exchange mechanism security in the wearable Internet of Things.” In Mobile Services (MS), 2016 IEEE International Conference on, pp.
25-32. IEEE, 2016. 11 Kamran Ali, Alex X. Liu, Wei Wang, and Muhammad Shahzad. 2015. Keystroke recognition using wifi signals. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking.
ACM, pp 90–102. 12 Mengyuan Li, Yan Meng, Junyi Liu, Haojin Zhu, Xiaohui Liang, Yao Liu, and Na Ruan. 2016. When CSI meets public WiFi: Inferring your mobile phone password via WiFi signals. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, pp 1068–1079.
13 Nroseth. (27 Mar, 2015). Data Security in a Wearables World.Online Available: http://www.swatsolutions.
com/data-security-in-a-wearables-world/ 14 Vangie B. cloud. 4 Oct, 2015Online Available: http://www.webopedia.com/TERM/C/cloud.
html 15 Greig Paul and James Irvine. 2014. Privacy implications of wearable health devices.
In Proceedings of the 7th International Conference on Security of Information and Networks. ACM, 117 16 David E. Sanger and Nicole P. (14 Feb 2015). Bank Hackers Steal Millions via Malware.Online Available: http://www.nytimes.
com/2015/02/15/world/bank-hackers-stealmillions-via-malware.html 17 Do Potential Customers Think Wearable Tech Poses a Privacy Risk? Online Available: https://www.apadmi.com/wearable-technology-trends/wearable-tech-privacy/ Figure 7: Security Vulnerability facts on 10 smartwatches by HP18 Michalevsky, Yan, Dan Boneh, and Gabi Nakibly. “Gyrophone: Recognizing Speech from Gyroscope Signals.” In USENIX Security Symposium,2014, pp.
1053-1067. 19 Qinggang Yue, Zhen Ling, Xinwen Fu, Benyuan Liu, Wei Yu, and Wei Zhao. 2014. My Google glass sees your passwords! In Black Hat USA 2014 White Paper. 20 Lisa E.
(09 Oct, 2014). A New Wave Of Gadgets Can Collect Your Personal Information Like Never Before. Online Available: http://www.businessinsider.my/privacy-fitnesstrackers-smartwatches-2014-10/#GDuZGvtShqZO79S5.97 21 Raij, A., et al.
, Privacy risks emerging from the adoption of innocuous wearable sensors in the mobile environment, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.2011, ACM: Vancouver, BC, Canada. p.
11-20. 22 Kristi R. (22 Jul, 2015). HP Study Reveals Smartwatches Vulnerable to Attack .Online Available: http://www8.
hp.com/us/en/hp-news/press-release.html?id=2037386#.Wu7YTogvw2w 23 Liviu A.
(12 Sep, 2014). Bitdefender Research Exposes Security Risks of Android Wearable Devices. Online Available: http://www.darkreading.com/partnerperspectives/bitdefender/bitdefender-research-exposes-security-risks-of-android-wearable-devices-/a/d-id/1318005
