Candid Wueest
5,125

Wearables and Quantified Self Demand Security-First Design

 

As A WearableTech Enthusiast…

 

attending Black Hat Europe Amsterdam I felt like I didn’t belong there and like I have lost my way. Black Hat, like Defcon, is one of the biggest information security events in the world that bring together everyone from the hacking community and information security enterprises. So Wearable Tech isn’t the first thing that comes to mind when you think of security, but the conference had me thinking, shouldn’t it be?

Black Hat Europe 2014 in Amsterdam
Black Hat Europe 2014 in Amsterdam

I must confess that it was refreshing to be able to converse in wearable tech language and be understood. The people I met at Black Hat shared my enthusiasm for Wearable Tech and it was whilst I was talking with them that I found out that most of the enterprises that presented themselves at Black Hat had not really touched the wearable space just yet. It was argued that, “There isn’t really a reason for it”, others stated “Somehow the need hasn’t yet been created”

 

With the physical and digital world inevitably merging, I feel that security will become more and more relevant. The question should be, do wearable devices need a security model? This is the kind of question that you would think would have the simple answer of “yes” but then why do I find myself constantly trading convenience for security? This was something that I was able to discuss with Symantec Threat Researcher Candid Wueest. He was the only speaker at Black Hat who integrated wearable technology into his speech. Wueest has done extensive research on Wearables in the context of Security and wrote a white paper or rather a ‘Security Response’ with Mario Ballano Barcena and Hon Lau, called ‘How Safe Is Your Quantified Self?’

 

istock000025204829small

Sitting down with Wueest after his talk, I asked him about the relatively low level of sensitivity of the data collected from Wearable Tech tracking devices, Candid stated: “It’s not so much the level of danger that people put themselves in wearing these devices. It’s more the fact that maybe they should be offered the choice of what to share and what not.” ‘How safe is your quantified self’ basically revealed that at this point developers do not give security and privacy the focus that some could argue, it deserves.

 

He continues:“From the devices we did the research on only 52% had a privacy policy. 20% used simple “clear” (visible) text while users are asked for login credentials and in some cases these devices would send data to up to 14 IP addresses.” Not long ago Fitbit’s data measuring ‘sexual activity’ was visible to all by default. Something easily found if someone would search for a particular Fitbit account on Google search.

Coding for the Raspberry Pi Scanner was written by Mario Ballano

After explaining to the Black Hat public that he actually had his self manufactured Raspberry Pi device ‘sniff’ (track) up to at least 6 jawbone and Fitbit devices from visitors at his speaking session. He showed the public how easy it was to find out people’s whereabouts, their listed hardware addresses and the time they actually left or entered the room. The security breach that Wueest demonstrated was quite clear.

 “Not Long ago Fitbit’s Data Measuring ‘Sexual Activity’ was Visible to all by Default”

Wueest brought to the forefront, the reality that wearable device developers do not even think about how to approach the security issue when the developing process starts. The overall consensus is to get the device ready to be produced and then “sprinkle some security on top” in the end.
Black Hat left me flabbergasted at the amount of opportunities that are out there for tech companies who are looking to differentiate themselves from their competitors. The first company that would actually treat security as a product-feature instead of a handover could seriously have an edge on the competition. In the white paper ‘How Safe Is Your Quantified Self?’ the Symantec team advises companies to build security in from the start, not as an afterthought and that they should make security testing a part of the developing process.

To conclude, Candid Wueest states, “Up till now we can only advise the vendors. We want to help wherever we can by giving out this information. Adding SSL content to the software only takes some simple coding but if the developer isn’t even aware of this they can always knock on our door to see if we can be of any significance.”

-Mano ten Napel
Novealthy

(Article also published on Wired.com)