To put things in perspective, the security and privacy risks associated with wearables is “quite low, but it escalates with the type of device,” says Chet Wisniewski, principal research scientist for security software developer Sophos.
“Pure biometric activity trackers like pedometers and heart rate monitors may leak information over Bluetooth but it’s reasonably difficult to capture, and it’s of little value to attackers,” Wisniewski says. “As you move up to things like smartwatches the risk increases, but mostly due to trust and theft, not so much interception. A found smartwatch within a few meters of the paired smartphone could be used to steal emails and contacts. This risk may increase with some of the newer smartwatches that have an LTE connection, as they can operate away from the paired device.”
In general, “personal connected devices that primarily operate via close-proximity protocols, like Bluetooth Low Energy, and piggy-back onto mobile devices, such as smart phones, are generally less directly accessible for abuse, vs. IoT devices that are actively connected to the internet via Ethernet or Wi-Fi,” adds Michael McNeil, global head of product device security for Philips Healthcare, which provides clinical healthcare systems and consulting.
Many non-activity tracking IoT devices run on commodity hardware with firmware that’s often not ‘purpose built’ and thus could expose extra services, such as SSH or Telnet remote administration or complex web application back ends, McNeil says. “Personal fitness devices are often very restrictive due to size and computing capabilities, with more specific engineering involved that provides less direct attack surface,” he says. “So, much of the risk is usually with the security of the services that store and transmit this personal data to-and-from the mobile application or other means of data transfer/functionality. Management of these risks should take into consideration these specific parameters of the IoT devices and their possible attack surfaces.”
In addition, Fitbit, the leading wearable maker for corporate wellness, has much to lose if it doesn’t take security seriously.
According to IDC, Fitbit is still the top maker of activity trackers, though its lost some market share. The company also has a corporate division, Group Health, which offers wellness programs to customers such as Adobe, McKesson and BP. And Fitbit CEO James Park has said recently that growing its Group Health business “is critical to the growth of the company.”
To help safeguard against hacks and to protect data, Fitbit devices receive firmware updates that address security (and functionality) as needed and include built-in encryption when syncing data to the cloud, says Marc Bown, Fitbit’s senior security engineer.
Other security steps Fitbit takes include the following:
- Partnering with a customer’s IT and/or security team to “proactively address any questions or concerns” regarding the security of employee fitness and health data, says Amy McDonough, vice president and general manager of Fitbit Group Health.
- Offering an invite-only, bug bounty program to augment the research and testing that Fitbit’s security response team conducts.
- Posting explanations of tracker firmware updates. Since spring 2016, Fitbit has also labeled client software updates that contain security fixes with a “Critical/Important/Moderate/Low” rating to provide “guidance for interpreting those ratings similar to best practices from Google, Microsoft, and others,” according to a Fitbit blog post on security.
- Developing best practices around the activity tracking data employers obtain from employees who participate in Fitbit wellness programs.
Sign up for Computerworld eNewsletters.