Smart wearables: Are they smart enough to protect your data?
It's 8 a.m. A smart watch gently vibrates, waking you up, but you don't feel fresh. You throw a quick glance at its glowing face to check the graph of your sleep stages. Too little deep sleep last night. That explains it. As you dress yourself up, you fasten a smart belt — sensors in its buckle track your waist circumference, making sure you don't overindulge. Before you go out, you check if your smart sneakers are well charged — they lace themselves up after you put them on. You wear two smart rings: one to lock your NFC-enabled door and another to pay for an espresso at the nearest coffee shop. But you're still cold. It must be your blood pressure. You check your smart watch again: indeed, it is too low. One more espresso, please. You're still chilly, but you know it is not for long: your Alexa-connected smart jacket has sensed your discomfort and is already heating itself up.
That scene, if slightly exaggerated, is not borrowed from the newest Black Mirror episode. All these devices are already on the market, some of them are mass-produced while others are just bursting onto the Internet of Things (IoT) scene.
It seems that every item now has its smart doppelganger. The IoT market is booming: in 2022 alone, it is expected to grow 18%, and by 2025, we are estimated to be encircled by 27 billion connected IoT devices. All of them will be equipped with built-in sensors, software and other tech capable of harvesting large amounts of fine-grain location, health and personally identifiable data and transferring it in real time to other internet-connected devices and remote servers. The connection, be it Wi-Fi or Bluetooth, is, and likely will be, vulnerable to hacks and leaks.
Some would argue that wearables are just over-hyped expensive toys, unreliable, unsecure and easily dispensable, others could not imagine their lives without them. After all, they aim to (and sometimes do!) make our everyday existence easier, more convenient, and predictable.
Toy for some, life-saver for others
Gadgets gurus and tech geeks get wearables mostly out of curiosity and FOMO. Fitness fanatics put trust in their abilities to track steps, distance, and calories burned. Health conscious users, especially those suffering from chronic health issues, are sold on the promise of more autonomy and less dependence on caregivers or regular and costly doctor's appointments.
A smart belt can not only measure a waist, but it can also predict a fall. A GPS sole is marketed as a tool to track patients with Alzheimer's. A smart watch can monitor blood sugar levels in real time and share this data with family or a physician so that they can respond swiftly in case it drops too low. Wearable defibrillators can administer shock therapy if they detect a life-threatening cardiac rhythm. A smart band for visually impaired will send haptic vibrations to warn the user of proximity to objects.
It won't be an overstatement to say that wearables are already saving lives. An Apple Watch has been credited with saving the life of a cyclist by alerting the emergency authorities of his fall and sendig them his exact coordinates. In another case, a man took an ECG with the app on his smart watch after experiencing chest pains only to find out that 99,9% of his arteries were blocked. In yet another case, a woman said that the watch alerted her of an unusually high heart rate — it turned out she suffered a heart attack without realizing it.
There's no doubt that functionality of IoT devices will evolve as sensors powering them become more advanced. Apple is looking into how to make its smart watch predict asthma attacks. A group of Swiss students have designed a smart bra that can detect the earliest signs of breast cancer. Under Armour has filed a patent application for a shoe(!) that is able to take a wearer's blood pressure. It seems the sky's the limit.
From tech gimmick to fashion accessory
With the IoT market exploding — it is forecast to grow by 17,8% on average annualy and reach $280 billion by 2030 — wearables are no longer appeal only to those enfatuated with high-tech, obsessed with fitness or plagued by health issues.
As much as wearable tech is revolutionizing healthcare, it is making a fashion statement.
From the first wearable IoT device — a bulky wireless webcam in 1994 that transmitted live images to the internet with the help of an antenna — interconnected devices have gone a long way in terms of design. Levi's is partnering with Google on a denim jacket that can answer phone calls and play music, Apple Watch is collaborating with Hermes and Nike, while Samsung Galaxy Watch is partnering with luxury fashion brand Thom Browne. Celebrities like Kim Kardashian and Gwyneth Paltrow are flaunting their smart rings to millions on Instagram.
Smart devices, once a luxury gimmick, have gone irreversibly mainstream, becoming cheaper along the way. Wearable tech have made way into the workplace: smart helmets prevent construction site workers from overheating by monitoring temperature and heart rate of the wearer and taking in the external temperature and humidity. Into sport: a concussion-preventing smart mouthguard sends data to an iPad app via Bluetooth and alerts coaches if athletes sustained head impact. Into policing: smart glasses fitted with facial recognition tech can tap into police databases and help identify suspects. Into insurance: some health insurance providers give customers a smart watch for free or with a big discount provided they meet their activity goals.
That's not an exhaustive list of what interconnected wearable devices are capable of. The potential for their application knows no bounds, and, by all accounts, they will become a constant presence in our lives sooner rather than later. If such a future is all but inevitable, we should be all the more concerned about how these devices handle our data. And this is where the sci-fi fairytale meets the harsh reality.
Smart devices are trigger-happy and unreliable
Despite all the breakthroughs in sensor science and engineering, the technology at the heart of smart devices leaves something to be desired. They are prone to false positives, which may not seem like a big problem at the first glance. However, it is not something to be brushed off. Apart from causing unnecessary anxiety to otherwise healthy individuals, false positives are putting additional strain on the healthcare system's already limited resources.
A recent study found that only 11,4% out of 264 people who went to a doctor after receiving "abnormal" pulse readings and alerts from Apple Watch were diagnosed with a new heart condition — indicating a high rate of false positives. In some of these cases patients went to the doctor's only after specifically told by their watches to do so.
Although those who wear smart devices are discouraged from using them for self-diagnosis, there is always a risk of the wearables replacing the infamous Doctor Google as their primary care physician.
False alarms can also tie up police resources and delay response to real emergencies. In 2019, emergency services across ski resorts in Colorado, USA were inundated by false 911 calls from Apple Watches as their owners continued peacefully skiing along the state's slopes, oblivious to what they gadgets were doing.
There has been anecdotal evidence of smart watches erring on the side of caution. A fall alert may reportedly be triggered by something as minor such as slapping a hand on a surface, chopping vegetables or clapping.
Engineers and developers have to walk a fine line for their devices to continue saving lives without becoming too trigger-happy. Accuracy will improve as the code base grows, but this growth can also potentially lead to more bugs in the code and therefore vulnerabilities. The amount of data collected will also inevitably increase. So while the accuracy problem may be resolved over time, the security and privacy issues will only get worse.
Too much data, too little care
In 2018, the locations of secret US military bases, including in Afghanistan and Syria, were inadvertently exposed by a fitness tracking app Strava. Experts spotted the outlines of previously unknown military sites on a map showing 3 trillion GPS data points uploaded by Strava users. Apparently, soldiers turned on the app's tracking feature when they went jogging. It's unlikely they were aware where that data would end up and who else would see it.
If soldiers had so little cue about what could happen to their data, then how much awareness can we expect from regular users?
Some governments do not expect much, and are taking matters into their own hands. In 2017, Germany banned children's smart watches with a location-tracking feature, recommending parents to get rid of the devices they had already bought. And it turned out to be a smart move. Two years later a smartwatch marketed for kids and featuring a GPS tracker was found to be storing location data on 5,000 children globally on the company's unencrypted servers in China. The data contained images, voice messages, names and addresses.
One might wonder why these security issues arose in the first place. It's true that companies can mishandle user data. However, the root of the problem is that many wearable IoT devices are insecure by design.
Smartwatches and smart bands remain the most popular wearables, jointly occupying over 50% of the market. While both can be synced with smartphones, smart bands have a limited set of features and are usually fitness-focused. Smart watches, on the other hand, have a broader set of features and, consequently, need more user data to perform them — that makes them a greater privacy and security risk. How so?
As we've mentioned earlier, more complex functionality requires a larger codebase, and the larger the codebase, the more room for bugs, which in turn leads to more vulnerabilities. To sum up: the more data your smart device processes, the more likely that data will be compromised as a result of an overlooked vulnerability in its ever-expanding codebase. The impact from a leak increases with the rise in functionality as well: the more data is being processed, the more data can be leaked — simple as that.
Wearables collect data through sensors and store it locally before sending it to the corresponding mobile app. Since 24/7 health monitoring requires lots of computing power, wearables' relatively miniture size coupled with the need to have a reasonably long battery life, limit what they can do. In order to compensate for the lack of computing power, the majority of them transmit the data to an internet-connected gateway (a smartphone, a tablet or a PC). This "parent device" serves as a temporary storage from which the data is then transferred to the cloud.
Thus, smartphones serve as an intermediate stop that the data passes through on its way to the permanent data storage. Smart devices rely on three types of wireless connection to realy the data: Near Field Communication (NFC), Bluetooth and Wi-Fi. For the most part, IoT device traffic is unencrypted, which means that bad actors can 'listen' to the traffic and extract personal and confidential data during transmission. Another way for hackers to gain access to data is to force a wearable to transfer it to a fake "parent device" instead of the real one.
One has also to keep in mind that wearables share a large amount of location and personally identifiable information with apps. Apps can transfer the data to third parties, who can, in turn, use it for ad targeting. According to a 2019 report by Juniper Research, wearable IoT vendors are expected to earn $855 million by selling data produced by the devices to insurance providers by 2023.
Good intentions gone rogue
Developers are coming up with ever more creative ways to make our lives easier… or harder. Last year, Apple released a coin-shaped device called the AirTag that should help users keep track of their belongings, like car keys. Once you have marked your AirTag as lost, it will ping all Bluetooth-enabled Apple devices near you in order to find it and send you its location on a map.
The idea, however, has somewhat backfired. Apple's Bluetooth tracker has become known as a perfect tool for covert surveillance. Dozens of women have filed police reports involving AirTags. In many cases victims received notifications that they were followed by an unknown AirTag, and in half of those cases the stalkers turned out to be their exes.
It's worth noting that Bluetooth signals emitted by smartwatches and other smart devices are trackable and identifiable data by itself. First, each Bluetooth device has a unique address, which is sometimes referred to as a Bluetooth MAC address. Second, research has shown that it's possible to identify a person by their unique 'Bluetooth fingerprint' based off the defects in the Bluetooth hardware. The same applies to Wi-Fi.
Another big issue with wearable IoT technology is encryption, or rather the occasional lack of it. This can result not only in injury to privacy, but also in quite serious bodily harm. In 2020, a flaw was discovered in the API of a Bluetooth-enabled chastity belt made by a Chinese company. The flaw resulted in a short period of time when users could not unlock their cages with an app. Bad actors could use the faulty API to access users' personal information, including precise location, passwords, and email addresses stored unencrypted in the company's database.
Vulnerabilities in web applications and software can sneak their way into smart clothes as well. What if your smart jacket glitches and refuses to heat up or, alternatively, turns up the heat too much? What's more, lack of security patches and timely software updates make wearables easily hackable. The idea of being killed by a smart jacket-induced hyperthermia may look like it is borrowed from a lame horror movie, but it is closer to reality than we might think.
The wearable IoT industry is a fledgling one. It might promise a lot and is already doing a lot, but it also faces a huge challenge — getting rid of security loopholes inherent to design that threaten user privacy and security. And since smart devices collect highly sensitive personal data in large quantities and are not planning to stop, the sooner these loopholes are closed, the better.
Necessary precautions to take
It should be said that manufacturers might put privacy and security issues on the back burner in favor of integrating as many new features into their smart devices as possible to pull ahead of the competition. The IoT market is expanding at a tantalizing pace, so it's understandable that companies want to carve out a niche for themselves while they still can.
As such, the onus is on users to make sure they are not risking their data for a pendant or a shoe. There are some tips that you might want to follow:
Opt for trusted manufacturers that have not been caught leaking data or are unlikely to store it in an unencrypted form. The vendor should push timely updates and patches to all products under support.
Go to official app stores (App Store, Google Play or AppGallery) for apps and avoid sideloading apps from bogus sources to your smart device.
Disable unauthorized pairing of your wearable device if possible. Thus you ensure it does not connect to random Bluetooth-enabled devices.
If possible, change your factory-set password.
Make sure your software and apps are up to date, so that you don't miss critical patches.
Set up two-factor authentication on your phone (or other paired device) and accounts.