Sports, Fitness, healthcare, industrial, and insurance solution providers are adopting wearable devices such as smart-bands, smartwatches, and track and trace devices to provide value-added services to their customers. According to new data from the International Data Corporation’s (IDC) Worldwide Quarterly Wearable Device Tracker, the worldwide wearable device market is expected to grow from 102.4 million devices in 2016 to 237.5 million devices in 2021, a five-year compound annual growth rate (CAGR) of 18.3%.
Source: IDC Worldwide Quarterly Wearable Device Tracker, March 20, 2017
Wearable devices sense, process, and transmit user specific data to smart device or cloud for analysis. This user specific data which includes an individual’s details such as location, activity, movement, vital signs, etc. is vital and the fear of data theft is a real concern today.
User specific data is either stored, cached or transferred and is susceptible to hacking at various levels – wearable device, communication between wearable device and smartphone, smartphone and Wi-Fi router, and from Wi-Fi to cloud storage. There are a lot of third-party applications designed to run on smart wearables to perform analytics on the collected user data and provide specific inputs to improve consumers’ lives, help users manage their fitness, and improve personal productivity and efficiency. This sensitive data, which can be used to monitor user activities and steal personal information, is highly sought after by third-party advertisers, marketers, data brokers, and information resellers.
Wearable devices are prone to various kinds of attacks. These attacks pose multiple security threats to the wearable device and user. Main security threats include theft of user data, manipulation of users’ data, preventing legitimate access to wearable device/data, and compromising device integrity. Attacks can physically manipulate the wearable device to redirect, modify, and access users’ sensitive data. They can also tamper and snoop on data in smartphone before uploading to the web-server or during transit from wearable device to smartphone or from smartphone to website/cloud. Fake/malicious firmware update attack can prevent legitimate users from accessing the device and applications, thus making it unusable. Fake/malicious firmware update can also lead to corruption of local databases, fraudulent use of applications, and drain the critical resources of the wearable device such as battery and CPU.
Wearable Solution Architecture
Usually the wearable solution consists of a wearable device, smartphone, wireless router/mobile data connection and cloud. The wearable device will be connected to the smartphone through short-range communication, most likely Bluetooth/Bluetooth Low Energy (BLE). The mobile device will upload data onto the cloud using mobile data or a Wi-Fi router. Third-party applications (e.g. analytics algorithms) will be running on the cloud to further analyze user behaviour. All of these devices are prone to security attacks. Some next-gen wearable devices have in-built LTE and Wi-Fi connectivity as well which enables them to communicate with the cloud directly.
A person tracking wearable device developed by Sasken
Figure 1: High-level overview of Wearable Solutions architecture
From a data-flow perspective, the wearable solutions architecture can be viewed as follows:
- Platform: Operating environment of wearable device and smartphone
- Run-time applications security: Real-time application attacks, cross application data access by unauthorized applications
- Communication: Communication between wearable device and smartphone, smartphone and cloud (data storage)
- Data Storage: Data storage on wearable device, smartphone and cloud
From security perspective, the data flowing through the various entities is susceptible to various attacks and different components of wearables solutions needs to be secured.
The table below illustrates various components, possible attacks, and methods to secure the various entities:
|Sr. No||Component||Possible Attacks||How to Secure|
|1||Wearable Device’s Operating Environment||· Unauthorized alteration of firmware software
· Connection of unauthorized smartphone device
· Malicious/fake firmware update
|· Secure Booting
(Boot-Time Authentication of all Loaders)
· Effective use of Trusted Execution Environment (TEE)
· Encrypting the Storage
· Utilizing the Hardware Memory Isolation Feature
· Enabling Firmware update Over-the-Air (FOTA), Updates and Patches, to ensure quick fix of possible security breaches
· Run Authorized Applications only
|2||Connectivity – Bluetooth/ BLE, Wi-Fi||· Unauthorized access
· Bluetooth stack to gain access to device
· Device Integrity
|· Secure Device Authentication
· Encryption of transmitted packets
|3||SmartPhone Applications’ Run-time Security
· App Frameworks
· App Software
· Utility APIs
· App Analytics
· Location Services
|· Unauthorized access to Smartphone Firmware software, thereby accessing application data
· Unauthorized access to user data
· Falsifying users’ health data
· Abusing health data
· Stealing a user’s health data
· Stealing a user’s location data
· Stealing user’s daily routine data
|· Data from wearable device is always Encrypted
· Application provides an isolated secure environment to process and analyse data.
· With respect to Wearable device: Ensure secure Device Authentication. Identity & Privacy management.
· Personally identifiable information (PII), Finger Print
· Depend on SmartPhone Operating Environment
o Access Control
o Secure data provenance
o Data confidentiality
o Application isolation
|4||Physical Access||· Tampering the wearable device||· Encrypting your storage
· Remote erase feature
· Detect Tampering at Hardware Level & perform Kill Pill
|5||Cloud Services||· Unauthorized access to user data
· Stealing user health data
· Falsifying user’s health data
|· Security Hardened Cloud OS
· Secure Connectivity
· Secure Login
· Various levels of Login privileges
· User data stored in encrypted form,
· User Identity isolation
· Data Privacy
· Firewalling and Intrusion Prevention System (IPS)
With the increased adoption of wearables in daily life, security remains a main challenge. The threats and possible solutions are reviewed constantly for the different entries listed in the table above.
This article has been authored by Venkatram Aurva, Head – Smart Devices Portfolio, and Vipin Tyagi, Assistant Manager, Pre-Sales, Sasken Technologies Limited