With each passing day, wearable devices are accessing or storing more personal data than ever before. This trend has given rise to concerns about how secure consumer data is in the wearable world. The movement of wearable devices into areas like mobile health has only served to heighten this concern as questions like HIPPA applicability begin to be discussed. On one side of the debate is the argument that wearable device data security lacks transparency into what is being collected, how it is being used, and how it is being protected. On the other side of the debate is the argument that when a consumer purchases a wearable device, they do so knowing the inherent risks. Is the concern over wearable data security well-founded and should it impact a consumer’s decision to buy a wearable? In this article, we take a look into data security in the world of wearables. Areas of Vulnerability
When it comes to wearable devices, there are 3 points of vulnerability related to consumer data: local device storage, software communication to the cloud via a cellular or WIFI network, and cloud storage. Currently, the first area of vulnerability, stealing data off the local device storage isn’t highly likely unless the device itself were to be stolen and hacked into. The data stored locally on the device is at more risk while it is being transmitted via Bluetooth. If someone wanted to steal data while a wearable device communicated over Bluetooth, they could “simply make use of sniffers to do so” as acknowledged by Sonny Vu of Misfit. Note that the data at this stage is raw, collected by specialized algorithms, and is not typically human readable until it has been unpackaged and read by the corresponding device software. Of course, the amount of data available will largely correspond to the functionality within the wearable device. For instance, a smartwatch with the capability to send social media notifications may require login information be stored and checked on the local device. That functionality opens up the smartwatch to much more risk compared to a simple fitness tracker. The second area of vulnerability lies within the software communication to the cloud via a cellular or WIFI connection. This area of vulnerability is explained by Symantec: during transmission, data is at risk from an array of possible threats. These include traffic sniffing, which lets attackers collect all transmitted data, and man-in-the-middle and redirection attacks, which could cause data to be sent to the wrong server. When the software communicates to the cloud, there is often more data to steal as data that has been transferred from the local storage on the device to the app is typically combined with personally identifiable data like name, e-mail, telephone number, and location to ensure that the data is being uploaded to the proper account. At this point, the potential loss of private data borders on a fairly sensitive level but most companies attempt to mitigate these risks by applying “strong encryption and authentication on the data being transmitted. ” Many companies also apply a level of security at the application layer which can help prevent data from being stolen. If you happen to be interested in what levels of security are applied by the device manufacturer while data is in transmission, review their FAQs and see if they provide the information. If you can’t find it there, contact their customer support and inquire about how they protect your data. The most vulnerable area of the wearable world to data theft is cloud storage. Symantec explains: depending on the configuration of the system, there could be any number of risks including SQL injection attacks, account brute force login attacks, distributed denial-of-service (DDoS) attacks, remote software vulnerability attacks, default password or back door attacks. Cloud storage is the most vulnerable area due to the amount of Personally Identifiable Information (PII) that is available. Anyone with an internet connection could invade the cloud and steal a company’s collected data. But now I get emails from prospective mbas wanting to share their experience https://paperovernight.com/ or ask for advice, which is so cool. Attacks on the cloud are typically sophisticated, coordinated, planned months ahead of time and are carried out by highly skilled cyber criminals. For instance, respected security experts Kaspersky recently detailed how a cybercriminal gang stole up to $1 Billion by impersonating bank employees through the use of malware on 3 different continents. As we continue to see, no matter how diligent a company may be with data stored on the cloud, the possibility of an undetected back door to compromise the data exists. The Identity Theft Resource Center says that in 2014 there was an average of 15 data breaches per week !
How Concerned Should You Be?
Does the wearable world pose a greater risk to data compromise than other technologies? The wearable ecosystem is not dramatically different from other ecosystems; it presents the same line of defenses and for the most part, has the same level of exposure. What’s more, the data collected by wearables isn’t any more comprehensive than the information collected by financial institutions, healthcare systems, Facebook, Twitter, or LinkedIn. As of this writing, no publically acknowledged data breach has occurred in the wearable community but it may be simply a matter of time. For reference, here is a list of some of the top data breaches in the last 15 months:
Community Health Systems
Sally Beauty Supply
In the cases of Anthem Health, JPMorgan Chase, and Target, cyber criminals were able to steal social security numbers, credit card information, financial data, health information, and much more. These companies had some of the highest levels of security protocols protecting their data but were still compromised. The wearable world poses no greater risk to a loss of data than any other business area. The concerns being raised today should push wearable manufacturers to heed the lessons learned by the high profile failures of companies outside the wearable space. As with all technologies that collect, transmit, and store data, consumers should be cautious with their wearables like when they handle banking online or checking Facebook on a public network. References
Hammond, Teena. “Wearables open new avenues for security and privacy invasions” www. zdnet. com ZDNet. com 02, February 2015
Barcena, Mario Ballano. United States. Symantec. Security Response: How safe is your quantified self? www. symantec. com/connect/symantec-blogs/sr , 2014. Print. Sanger, David E. and Perlroth, Nicole. “Bank Hackers Steal Millions via Malware” www. nytimes. com The New York Times. 14, February 2015
Identity Theft Resource Center. “Identity Theft Resource Center Breach Report Hits Record High in 2014”. http://www. idtheftcenter. org/ITRC-Surveys-Studies/2014databreaches. html. Identity Theft Resource Center. 12, January 2015.