Your Watch is Watching you. Who is Watching Your Watch?
Not Worried About the Internet of Things? Well You Just Became a Part of It.
HLSensory Overload: We’re Everywhere You’re Going To Be
As more and more “things” that you interact with every day become hooked into the internet, you leave a permanent trail of digital exhaust that enables hackers and government agencies to draw a more and more complete picture of your life. Your thermostat identifies times that you are gone from the house and what time you go to bed. Your coffee pot telegraphs what time you get up. And your wine refrigerator is more honest about your drinking habits than you are. So who cares? Maybe nobody. But then again, someone with a grudge, a stalker, organized crime, big brother, or a political rival may think it is worth the effort to find out all your personal habits. Now, with the advent of smartwatches, that digital trail will include your health information, all your movements, your photo albums, and more. The information is all uploaded to the cloud, and it is all there for the taking…And the same faceless hackers that learned how to hack into your toaster are now after even more personal data, which just happens to be held conveniently on your wrist.
Seen on the wrists of Beyoncé, Katy Perry, Drake, and Neil Patrick Harris, smartwatches are all the rage right now. With their sleek designs and high-tech functionality, they turn even the average Joe into James Bond. It makes sense then that their popularity is increasing. Running from $150 on the low-end to upwards of $17,000 on the high-end, smartwatches provide the convenience and capabilities of a smartphone in a tiny package.
But armed with tons of personal data about your life, how secure are they really? Recently HP conducted a study into 10 smartwatches on the market today along with their Android and iOS cloud and mobile apps. They found that 100% of those smartwatches have significant vulnerabilities, including authentication, lack of encryption, and privacy concerns.
So for the technophobe, what does that actually mean? Authentication happens when you type a password into your smartwatch. You are proving to your smartwatch that you are who you say you are. Two-factor authentication is when there are two different means of proving to your device that you are enabled to have access. An example would be if you set up your smartphone to require a password and a physical characteristic (a biometric), such as a fingerprint, in order to open the phone.
HP tested smartwatches that didn’t have two-factor authentication and locked out after three-to-five failed password attempts. They found that three in ten were vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration. Translation? Thirty percent of these smartwatches could be hacked.
Another issue HP found pertains to the lack of transport encryption, which is important since personal data is being moved around in a cloud. What does that mean? Without getting too indepth, the cloud is where your personal data is stored. Encryption is what keeps data secure; when it is sent from place to place, encryption essentially turns the data into a secret code that can only be de-coded using a key. Suffice it to say that encryption helps keep your private data private, and a lack of encryption makes your personal information more vulnerable to thieves.
And speaking of personal information, smartwatches collect a lot of it. What a lot of people forget about smartwatches, and smartphones for that matter, is that they are mini computers. Of the smartwatches HP looked at, all collected some combination of the owners’ name, address, date of birth, weight, gender, heart rate, and other health information; all stuff you would not want getting out into the world wide web. Given some of the security vulnerabilities in the smartwatches, this information could make them a valuable target to cybercriminals.
In case you haven’t been paying attention, cybercrime is on the rise recently. According to Roel Schouwenberg, principal security researcher for Kaspersky Labs, an anti-virus firm, “Over the last two years or so, we have seen a huge influx” in hackers targeting smartphones. With the advent of mobile payment systems, like Apple Pay, smartwatches and smartphones will become an even more desirable target. Security softwear company, Trend Micro, has predicted a rise in 2015 for attacks against these mobile payment systems. Advertised by Apple, using the tagline “Your wallet. Without the wallet.” Apple Pay is intended to be the application to remove the need to ever carry cash. According to their website:
“Now you can buy coffee, groceries, and more right from your wrist. Apple Pay will change how you make purchases with breakthrough contactless payment technology and unique security features built into Apple Watch. So you can use it to pay in a simple, secure, and private way.”
In addition to mobile banking, hackers love the concept of applications. It’s an easy way for them to spread malware, which is software that is intended to damage or disable computers and computer systems. In 2010, a developer uploaded an application called the “Official First Tech Credit Union” to the Android App Store. It was a banking application designed to steal personal information when the user entered their banking logins and passwords.
It’s not just the cybercriminals you need to worry about. This past year, the Wall Street Journal and Time Magazine reported on a program run by the U.S. Marshals out of the Department of Justice (DOJ) designed to collect data from the cell phones of supspects in law enforcement investigations. To do this, the Marshals would fly a small aircraft over the area where the supsect was located, and a high-tech device, called a dirtbox, would trick the suspect’s cell phone into connecting with it instead of an actual cell tower. This would allow the Marshals to get data off of their phone, including their exact location.
What’s the big deal, you might ask yourself. Well, while the Marshals are targeting specific individuals, the technology is not. By using dirtboxes, all phones within a certain range of the aircraft would be connecting to the device, inadvertently giving law enforcement officials access to the data of thousands of individuals every time it is used. Civil rights groups, including the American Civil Liberties Union (ACLU) say that this may be a violation of the Fourth Amendment, the part of the Bill of Rights that prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause. Their argument is based on the connection to the phones of anyone other that the suspect, for whom law enforcement officials have no probable cause. With dirtboxes operating out of five metropolitan cities that have a range esentially covering the entire nation, the odds are that your phone has been accessed. With GPS location tracking on your smartwatch using the same technology as smartphones, your smartwatch is the next unintentional target. The DOJ says that there is no database of cell phone information, meaning that the data is not being stored, and they say that all federal investigations are subject to a court approval. This does not negate the fact that innocent civilians phones have been accessed.
As we move further into the digital age, our identies are being more and more deeply imprinted into a cloud that we can’t see and of which we have only a faint concept. While the economic and environmental benefits of a thermostat that keeps the house comfortable only when it is inhabited cannot be denied, what are the benefits of making every intimate detail of your life available to whoever is smart enough to take it? If someone is smart enough or powerful enough to take your data, they are probably smart enough to make you want to buy it back.
Knowing what you know now, would you consider getting a smartwatch, or will you stick with the tried and trusted method of looking to your wrist for the time?
For more information about the privacy and security of smartwatches and smartphones check out the following links:
New York Times, Smartwatches and Weak Privacy Rules: http://www.nytimes.com/2014/09/16/opinion/smartwatches-and-weak-privacy-rules.html?_r=0
University of Cincinnati, Smartphone Cybercrime & Security: How to use your mobile powerhouse the SMART way — A guide to protect your Android phone from cybercriminals: https://www.uc.edu/content/dam/uc/infosec/docs/general/smartphone_cybercrime_Final.pdf
LifeHacker, PSA: Your Phone Logs Everywhere You Go. Here’s How to Turn It Off: http://lifehacker.com/psa-your-phone-logs-everywhere-you-go-heres-how-to-t-1486085759