Risk Analysis of Wearable IoT Devices
ECE530:Fault Tolerant Computing
Colorado State University
Abstract—Wearable devices are means to connect real lives to
digital lives seamlessly. As the world becomes increasingly
connected through these devices, little thought has been given to
device security and user privacy. Proliferation of these devices
has lead to struggles for the researcher and technology developer
to find improved ways to transfer data to and from wearable
devices and to keep all the information safe. In this paper, we will
survey some security and privacy vulnerabilities in wearable
devices and how they can be exploited.
Keywords—Wearables, Security, Privacy
“Wearable Technology”, “Wearable Computing”,
“Wearable Devices” or just simple “Wearables” all refer to
smart electronic devices have become ubiquitous in day-to-day
life. These smart devices can be integrated into accessories or
clothes and worn effortlessly on body. Such devices can not
only perform tasks comparable to smartphone but can also
sense and provide wearer’s actionable records in real context
1. Wearables has following characteristics: 2
• hands-free (unrestrictive):in order that customers can do
different thing whilst using the wearables.
• always on (controllable): it is a responsive device as it is
constantly in the ON status, so
users can seize control of it at any time.
• environment-aware (attentive): wearables are
environmentally conscious, multimodal and
• attention-getting (observable): it can hold users
continuous attention whilst users need it
to which includes receiving alerts, messages or reminders.
• connected (communicative): they are connected to a
wireless network so that data exchange can occur in the
• un-monopolizing, which imply it does not cut users off
from the outside world.
The finest ease, variety of advantages and an increasing
number of vital services provided to wearable consumer result
into the rapid proliferation of wearables paradigm. As seen in
Figure 1, the wearables are increasing with 33% CAGR every
year 3. By 2020, there will approximately 411 million
wearables available in the market. Note that almost 50%
volume is account by fitness trackers. Some examples of
already universal wearable devices thriving in the market are
Smartwatches ,fitness trackers by Fitbit , Google Glass( an
augmented reality device) and Emotiv headset( a wearable
brain-pc interface primarily based on electroencephalography
technology), GPS pet Tracker(a wearable for a pet to track its
vicinity) and few of the upcoming wearables are Google’s
smart contact lens, Studio Roosegaarde Intimacy 2.0(a smart
dress that senses the closeness of a wearer with a bystander),
Netatmo JUNE(a device that measures the real-time UV
exposure). Unfortunately, the security research has not kept up
Figure 1. Global wearable forecast 3
with this explosive growth leading to an increasingly large
number of critical vulnerabilities and exploitations related to
wearables 4. A recent HP report suggested that these
devices tend to have 25 notable security flaws and 60% have
at least one such flaw which results in cyber-attack 5.
Many of these devices store stores logs of data and
sometimes can be transmitted to third party users without a
notification to wearer. Data recorded in such way can further
be freely available and be used as evidence for/against in
legal settlements 6
In this paper, we will cover some wearable security and
privacy vulnerabilities and how these vulnerabilities lead to
an attack. Section II will cover Security and privacy
requirements, followed by vulnerabilities and attacks in
Following security and privacy requirements are considered
while designing wearable devices:
A. Security Requirements: 8
1) Confidentiality: Only the authorized parties (i.e., a
certified user; a licensed partner tool, like a smartphone or
laptop; or a certified online server, if any) should be able to
access the data recorded by the wearables, the records
transferred to/from the wearables, and the device structures of
the wearables. These authorized parties must be verifiable (i.e.,
the identity of the wearer or the associate devices
communicating with wearables or on-line server must be
authenticated). Especially, data must stay private all along the
way from wearables themselves and associate devices to the
web services (if any).
2) Integrity: Unauthorized parties must not be able to alter
the information recorded by the wearables, the records
transferred to/from the wearables, and the system structures of
wearables. An adversary must not be able to inject false data or
alter or delete the recorded or wearable-relevant records. in
addition, the adversary must not be capable of alter or update a
hardware/software component of the wearable device.
3) Availability: Only the authorized parties must be able to
access the data recorded via the wearables, the data transferred
to/from the wearables, and the system structures of wearables
when requested. In other words, wearable devices must be
resistant towards any form of denial-of-service (DoS) attacks.
for instance, they must be invulnerable towards battery-
draining attacks, storage-overflowing attacks, or jamming
attacks on communication channels.
4) Authentication: The authenticity of the wearer must be
confirmed using a viable authentication scheme. only a
legitimate owner of the device must be allowed to access the
5) Access Control: The use of data/information
recorded/saved on the wearables must be managed using
access regulations. Only a legitimate user having legitimate
access rights ought to be allowed to access a specific piece of
information associated with a wearable device.
6) Nonrepudiation: It must be ensured that the wearables
cannot deny being the origin of the data that they generated.
B. Privacy Requirements:7
1) Device ID Privacy: Unauthorized parties must not be
able to track the wearable device by its device ID such as
RFID, Bluetooth device address or MAC address.
2) Device Log Privacy:Unauthorized parties must not be
able to access the device log or records stored on wearable
device or shared with system structure on communication
channel. Device log includes sensitive data such as daily
activities data, PIN/Password or any text input on computer.
3) Wearer ID Privacy: Unauthorized parties must not be
able to extract wearer’s identification or learn about learn
about sensitive information of wearer which includes name,
location, audio or video of wearer or medical diagnosis in case
of medical device.
4) Bystander Privacy: Unauthorized parties must not be
able to use the wearable to identify/capture/derive any kind of
information about the individuals in the vicinity.
III. VULNERABILITIES AND ATTACKS
A. Security Vulnerabilitieas and Attacks:
Security vulnerabilities leads to critical breaches and losses.
Breaches can be access to private documents or sensitive
information like credit card information and loss includes
financial loss or safety issues. Moreover, consumer’s
trustworthiness towards the wearables will decrease and
discourage individuals to get their own wearable. Therefore, it
is vital to analyze the security vulnerabilities for user
protection. Following are some of the most common security
vulnerabilities in wearable from attack surface shown in Figure
Figure 2: Generic Data Acquisition Architecture in Wearable Technology 9
1) Unsecure Bluetooth transmissions: Since most
wearables cannot directly connect to Internet, they use
Bluetooth to transfer the data or log accureed from embedded
wearable sensor to the local/ central device(smartphone) as
seen in Figure 2.9. For instance, an attacker can easily use a
sniffer to access unauthorized data by sniffing the broadcasted
signal by the wearable device to the smartphone10. As a
consequence to this sniffing, there may be loss either in term
of monetary or safety of the wearer.
2) Unsecure Cellular or Wi-fi Network: This transmission
of data is more susceptible than the Bluetooth transmission as
the data is often combined with personal identifiable
information to ensure data is being dispatched to correct
account. The transmission here is vulnerable to man-in-middle
attacka and redirection attacks which can reveal PII such as
name, email, telephone number, PIN, etc by reading user’s
hand/finger movements while providing inputs 11,12
3) Unsecure data storage on Cloud: Often data accured
from wearables is outsourced to cloud or third party service
or automatically synchronised with social media.
Moreover, sometimes the user can utilize the device
properly only after agreeing to service policies which
grants the application to synchronise the data with cloud or
third part services without user being aware14. Further,
this data on the cloud can be vulnerable to Distributed
Denial of Service Attacks, SQL injection attacks or back
door attacks 15.There has been reports of upto $1 Billion
stolen by impersonating bank employee through use of
4) Unfettered Access:Due to design constraints such as
small size and limited bandwidth, this devicea lack security
mechanism for authentication and authorization. They depend
on uncontrolled wireless network either Bluetooth or Wi-Fi to
transfer data making them vulnerable to account harvesting.
5) Lack of physical secuirty: This small devices such as
fitness bands can be easily stolen or misplaced.Since this
devices are not protected by any security mechanism, the data
stored locally can be easily accessed and misused.
B. Privacy Vulnerabilities and Attacks:
According to survey conducted by Apadmi 17, as seen in
figure 3, 42 percent considered wearables to be threats to
privacy, 18 percent said they did not consider it as privacy
threat and 40 percent were don’t knows. This implies that
consumers worry about the potential exposure private data
captured and stored in wearables. Not only are these devices
saving our private data but also the data about our surrounding
and they are able to do it continuously and discretely. The
privacy vulnerability and attacks are classified as follows:
1) User Identity and Data Privacy: “Life-logging”
wearable embedded with camera, microphones, capture large
number images, audio/video everyday, which may not only
include data about the wearer but also about its environment
and bystanders. Audio/Video logs can capture uncontolled
data about the bystanders and therefore poses privacy
challenge such as surveillance19. Also, these audio/video
log can be easily hacked as these devices has no strong
encryption. Also, it is forund that a simple gyroscope can be
used as crude microphone to eavesdrop 18.
2) Time and Location Based Privacy: GPS enabled
wearables can log timestamps and locations. Although these
devices can be of great use in navigation, they also pose
greater privacy issues. It is found that even though there is no
built-in GPS sensor in Symantec, it can broadcast location
information without the wearer being aware 20.
IV. SECURITY ANALYSIS ON REAL EXAMPLE OF
As seen above, that more 50 percent of wearable
devices consists of smart-watches and fitness tracker and most
of these devices are vulnerable to Bluetooth attacks.Let us
investigate this vulnerability.
Figure 3: Survey Results of “Do You Think Wearables Poses Threat to Privacy 17
Figure 4: GAP Protocol
Bluetooth LE (BLE) is used for the smart devices operating on
same frequencies but with lower power contraints, low cost
and multi vendor operatability.It uses two protocols for
1) Generic Access Profile (GAP): As seen in Figure 4,
Wearable broadcasts advertising data packet over advertising
intervals. Central device in the vicinity if interested in the
packet sends Initiate GAP Connection Request to which the
wearable replies with Initiate Pairing Response. During this
protocol Device ID is shared and pairing is initiated. If the
central device need some extra information before pairing it
send a Scan Response Request, to which wearable replies with
Scan Response Data.
2) Generic Attribute Profile (GATT): In this protocol
wearable and smartphone communicate by sending
request/response packets after pairing. If the wearable need to
alert or notify central device it sends out an Asyc Event. In
this protocol, the packets includes the information about the
data as well as the data along with encryption key used to
identify the device.
Since the advertising packets in GAP are broadcasted, any
device in the vicinity can access this packet and connect to
wearable leading to security threat.
A HCI snoop log application was used in 9 to sniff out the
encrypted as well as unencrypted log from Samsung Gear S3.
The sniffer could obtaine the MAC address once it got the
Long term encryption key and enabled to breach owner’s
email, SMS , etc. as seen in Figure 6
According HP report 22, on top 10 smartwatches, 100
percent of tested smartwatches contain significant
vulnerabilities which includes lack of encryptions, poor
authentication and privacy issues and only 50 percent of
smartwatches had provision for screen lock by either pattern
or six-digit-PIN 22. However, even this lock code can be
deciphered by brute force attack using a sniffing tool 23.
TABLE 1: SUMMARY OF VULNERABILITIES AND ATTACKS ON WEARABLES
Device Security Vulnerabilities Attacks
Unsecure PIN or authentication
Guesture based authentication recorded by individula closeby Images/Audio/Video recorded without ser’s consent
Eavesdropping and spyware
Unsecure network Wi-Fi hijacking, man-in -middle attacks
Lack of Authentication DDoS Attacks, Data Injection attacks,
BLE Advertising Tracking, sniffing Location and timestamp logs phishing
Smartwatches Unsecure Authentication Brute force attack
As seen in Table 1, most wearable devices lack the
authentication to secure them even though it contains huge
Figure 5: GATT Protocol 9
Figure 6: Snoop log plain text disclosure 9
ammount sensitive data. Since this are low powered small
sized devices, password or PIN based authentication are
difficult to implement due to lack of keyboard or touch screen.
Wearabale are constantly ON and are continuously capturing
data and transmitting to central device even in unsecure
environment. Therefore, it is critical to implement
authentication mechanism on these devices as consequences
of compromised wearable introduced to workplace can lead to
severe data breaches and financial losses.
Demand for wearables is ever increasing and the proliferation
of IoT has resulted in explosion of application of wearables to
various domain of lives viz commercial, personal and medical.
Everyday new advancements in technology leads to increase
in volume of wearable in the market. As these devices out-
perform some of the older smart device, consumer buy new
improved device even though they have older versions of
same device and hence the older version are rented out, resold
Although this advance technology benefits individual it still
has some security and privacy loopholes. We need to figure
out how to decommission the old device without disclosing
the data already store on it or to reset the whole device. Strong
user policies need to be implemented to ensure user data
security and privacy.
1 Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J. and Elovici, Y., “Advanced security testbed framework for wearable IoT devices” in ACM Transactions on Internet Technology (TOIT),2016, Volume 16(Issue No.4), Article No.26.
2 Viral M. (01 Apr, 2012). “Wearable Computer.”Online Available: http://www.slideshare.net/fbviralmehta/wearable-computer-12242345.
3 Paul Lamkin (17 Feb, 2016) “Wearable Tech Market To Be Worth $34 Billion By 2020″ Online Available: https://www.forbes.com/sites/paullamkin/2016/02/17/wearable-tech-market-to-be-worth-34-billion-by-2020/#59b1f53c3cb5.
4 Linda Lee, Serge Egelman, Joong Hwa Lee, and David Wagner. 2015. Risk perceptions for wearable devices. arXiv preprint arXiv:1504.05694.
5 Hewlett Packard Enterprise Analyst Report (12 June, 2017)”HPE Locks Down Server Security” Online Available: http://www.moorinsightsstrategy.com/research-paper-hpe-locks-down-server-security/
6 Reihl, Damien, “Sensors, Wearables, and Liability: The Brave New World of loT ” in 84 Hennepin Law. 7 , 2015, p7-11
7 Motti V.G., Caine K. “Users’ Privacy Concerns About Wearables”. In: Brenner M., Christin N., Johnson B., Rohloff K. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science, vol 8976. Springer, Berlin, Heidelberg, pp 231-244
8 Di Pietro, Roberto, and Luigi V. Mancini. “Security and privacy issues of handheld and wearable wireless devices.” Communications of the ACM 46, no. 9 (2003): 74-79.
9 Cusack, Brian, Bryce Antony, Gerard Ward, and Shaunak Mody. “Assessment of security vulnerabilities in wearable devices.” (2017). Proceedings of the 15th Australian Information Security Management Conference, pp 42-48
10 Lotfy, Kerolos, and Matthew L. Hale. “Assessing pairing and data exchange mechanism security in the wearable Internet of Things.” In Mobile Services (MS), 2016 IEEE International Conference on, pp. 25-32. IEEE, 2016.
11 Kamran Ali, Alex X. Liu, Wei Wang, and Muhammad Shahzad. 2015. Keystroke recognition using wifi signals. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking. ACM, pp 90–102.
12 Mengyuan Li, Yan Meng, Junyi Liu, Haojin Zhu, Xiaohui Liang, Yao Liu, and Na Ruan. 2016. When CSI meets public WiFi: Inferring your mobile phone password via WiFi signals. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, pp 1068–1079.
13 Nroseth. (27 Mar, 2015). Data Security in a Wearables World.Online
14 Vangie B. cloud. 4 Oct, 2015Online Available:
15 Greig Paul and James Irvine. 2014. Privacy implications of wearable health devices. In Proceedings of the 7th International Conference on Security of Information and Networks. ACM, 117
16 David E. Sanger and Nicole P. (14 Feb 2015). Bank Hackers Steal Millions via Malware.Online Available: http://www.nytimes.com/2015/02/15/world/bank-hackers-stealmillions-via-malware.html
17 Do Potential Customers Think Wearable Tech Poses a Privacy Risk? Online Available: https://www.apadmi.com/wearable-technology-trends/wearable-tech-privacy/
Figure 7: Security Vulnerability facts on 10 smartwatches by HP
18 Michalevsky, Yan, Dan Boneh, and Gabi Nakibly. “Gyrophone: Recognizing Speech from Gyroscope Signals.” In USENIX Security Symposium,2014, pp. 1053-1067.
19 Qinggang Yue, Zhen Ling, Xinwen Fu, Benyuan Liu, Wei Yu, and Wei Zhao. 2014. My Google glass sees your passwords! In Black Hat USA 2014 White Paper.
20 Lisa E. (09 Oct, 2014). A New Wave Of Gadgets Can Collect Your Personal Information Like Never Before. Online Available: http://www.businessinsider.my/privacy-fitnesstrackers-smartwatches-2014-10/#GDuZGvtShqZO79S5.97
21 Raij, A., et al., Privacy risks emerging from the adoption of innocuous wearable sensors in the mobile environment, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.2011, ACM: Vancouver, BC, Canada. p. 11-20.
22 Kristi R. (22 Jul, 2015). HP Study Reveals Smartwatches Vulnerable to Attack .Online Available: http://www8.hp.com/us/en/hp-news/press-release.html?id=2037386#.Wu7YTogvw2w
23 Liviu A. (12 Sep, 2014). Bitdefender Research Exposes Security Risks of Android Wearable Devices. Online Available: http://www.darkreading.com/partnerperspectives/bitdefender/bitdefender-research-exposes-security-risks-of-android-wearable-devices-/a/d-id/1318005