Wearables - New Threats

Wearables

New Threats

Dominik Bärlocher
by Dominik Bärlocher
time to read: 18 minutes

Wearables bring a new flood of data that can be used for malicious intents. Using biometric data, new attack vectors open up. These new attacks will be more personal and more targeted. The data is no longer the real target, the user is.

Google Glass, Nike FuelBand and other Wearables offer their users never before seen possibilities to analyse their own bodies and their surroundings. They measure the wearer’s pulse and display emails directly in front of the user’s eye. At this point in time, little seems impossible. And even though Google Glass officially prohibits facial recognition on their device, there are developers working on just that. The will not be supported by Google’s Playstore but the effort to have it installed will be minimal.

With this new technology and the expansion with new features, there are new attack vectors that can be exploited. The damage can be quite big. Not only can users lose their medical data when their pulse measuring device has been compromised but there’s the constant threat of loss of personal data when the set of data-glasses has an information leak.

Even when the devices are well secured against intruders, the data has to be transferred from the sensors or the display to another device. Most of the time, this is the smart phone that serves as a display device. From there, the data is more often than not wirelessly transmitted to a computer and from there to the internet.

Now, we’ll look at a threat assessment. We’ll be taking the role of an attacker, systematically analyzing the threat and the devices we’re going to attack. People in the security industry call this a Red Team approach.

h4 The Target: Data

Wearables, just like any other device, records data. In case of data glasses, trackers and other devices mounted on the body, these devices record a lot more data than devices we’re used to. The following table is serves as an overview on the matter, based on the currently available Wearables. As their development continues, there will undoubtedly be more data.

Category Data
Movement Number of steps
Movement patterns
Location GPS-Data
Speed of movement
Health Sleep profile
Pulse
Breathing
Burned calories
Weight
Communcation SMS Messages
Social Network Updates
Instant Messages
Calls
Appointments
Contacts

From the view of an attacker, it’s not only about understanding which data could be compromised, but also how this data is being processed and transmitted. Thus, we need some sort of frame of reference that answers the following questions:

Data Security in Storage

Answering these questions, we can draw up a theoretical model that, again, is not permanent due to development of technology.

Model Storage Transmission Processing Displaying
1 Wearable None Wearable Wearable
2 Smartphone Wearable to Smartphone Smartphone Smartphone
3 Remote-Server Wearable to Smartphone
Smartphone to Remote Server
or: Wearable to Remote Server
Remote Server Smartphone
or Webclient

The first model’s big advantage is that the user is the only one who’s able to access the data. It is not being transmitted. The only way for an attacker to get to the data is the physical access to the device. The biggest risk for data loss is the loss of the device, be it due to theft or just simply forgetting it somewhere. So that strangers can’t access data easily, there’s a possibility of implementing a password or a PIN. The disadvantages of the device are obvious: Big memory on small space is expensive. The display of the device just might be too small to display complex datasets and the device itself might not be packing enough processing power to execute data processing.

In the second model, the data is being transmitted from the Wearable to the smartphone where it’s being saved in an app, where it also gets processed. Just like in the first model, the loss of data is the biggest security risk, which in this case also includes the interception of traffic during transmission. When it comes to security measures, the device has to offer more. In addition to PIN and password, there’s the possibility of wiping the device remotely from a PC. For the end user, this model presents more advantages. Due to the bigger display of the smartphone and bigger memory of the device bigger sets of data can be processed and displayed. On the other hand, this offers a bigger attack surface.

In the third model, the user has the most advantages. The data is being transmitted to a server and stored there as well as processed. The data is being protected from physical loss and can be subject to complex processing. But: The user usually gives up the right to his data. Because the data is being stored on the server of an IT-service, which is mentioned in the device’s vendor’s privacy statement and the terms of use. But end users are often unaware who can and may access their data.

The New Attacks

This is where the classical, technical analysis ends. With the recording of pulse, sleep and other data attackers have more of an attack surface than ever. The attacks will become increasingly targeted, more personal and directly affect the wearer’s health.

It is no longer the data that is the target. It’s the person supplying said data. The pule frequency and the sleep analysis becomes just a means to an end.

Even today, this is happening. During press conferences, people are watching the speakers for even the minutest detail. Is the speaker looking to his upper left? What does she do with her hands? Is the posture relaxed? What about voice modulation and intonation? Choice of words? Insights gained from these analyses helps make business decisions. In criminal cases and daily talk shows the lie detector is an often-used means to catch a crook or reveal that someone’s had an affair. In the TV show Lie to Me, there’s Tim Roth playing the role a man who is an expert in this kind of analysis. He uses the Facial Action Coding System in order to find the truth. Websites offer courses to pick up women and base their teachings on being able to read body language as well as other subtle signals. Others “analyse presentations and speeches”: http://mannerofspeaking.org/2011/06/02/analysis-of-a-speech-by-bruce-aylward-2/ for fun.

With the introduction of Wearables, this information will be much more precise, because there suddenly is a new flood of reliable data available. However, we don’t’ have any precedence in this matter, so we need to escape to theoretical scenarios.

The mitigation of this problem in the business world is simple: Executives shouldn’t wear Wearables or deactivate functions that measure biometrics. For this to happen and to implement a business-wide policy, there needs to be a rethinking of security so that security goes beyond password and server security.

Even the manipulation of data flowing from Wearable to processing device, be it smartphone or computer, carries new risks. Users can be told that they’re unwell to which they’ll react accordingly. Or the data can tell their users that they’re in the best of health while they’re being sick.

Rethinking on Both Fronts

With the new attacks, it’s not just the defenders – called the Blue Team – who need to rethink their strategy. Because if an attacker is after the feed of one person, the attacker has no use for all the entries in a database. Because several thousand feeds of pulse rate and sleeping phases are useless. The attacker needs the data of one person. The attacks will become more targeted and more precise. This means that prior to the actual attack, Social Engineering attacks might increase. This, in turn, leads to more rethinking on the side of the Blue Team:

In brief: Any and all information about a key executive and will be used against him or her.

Classic Attacks Persist

Despite all this, classic attacks will still be a relevant threat that needs protecting against. The attack surface changes only in size with the introduction of Wearables. New attacks are added, but the old ones don’t go away. In order to execute well-known attacks, Red Team needs to know more than just the data mentioned above but also the connection types. Generally: Radio transmissions of all kind, WLAN, Bluetooth as well as ANT among them, have two inherent weaknesses.

  1. Everyone in range of the broadcast can receive signals.
  2. Everyone in range of the broadcast can transmit signals.

In the first model, there’s no data transmission, so there’s no attack vector there.

The second and third model however, use one of the following technologies (See part 2 of this series)

These technologies have in common that they build a wireless personal area network (WPAN) between Wearable and another device. The range of this broadcast is characteristically small at less than 30 meters.

In the third model, there’s an additional connection to the WPAN. The smartphone connects to the internet. This can happen using a WLAN connection or using mobile data. In this model, the protection of the broadcast is not enough to protect users against access by third parties. To achieve more security, there are the following possibilities:

In all these cases, the entire communication is encrypted end-to-end and is at no point happening in clear text.

Attack Vectors

There are, summarizing, three possible vectors of attack:

This opens up the possibility of these attack as well as others:

Reality

These scenarios are not flights of fancy as proven by security researchers and hackers around the world. Whenever a new technology becomes available, the challenge is on. Hackers everywhere try to break open the new systems and modify them to suit their needs. Technology consultant Jay Freeman aka. Saurik has managed to hack Google Glass using an exploit.

According to his report, Freeman managed to use a backup exploit for Android 4.0.x on his pair of data glasses. Using this exploit, he was able to bypass the feature that deletes all personal data on Glass in case of compromise and tampering. By running his own code on Google Glass, he has successfully proven that malware can be loaded onto Google Glass. This can be used to launch most if not all of the attacks described in this article.

The best part: Freeman doesn’t replace any software on his pair of glasses, but changes existing software. He would theoretically be able to smuggle an attack past a user.

He draws up the following scenario:

This means that if you leave your device in someone else’s hands, and it has an unlocked bootloader, with just a minute alone they can access anything you have stored on it. While on most Android devices there is a PIN code that protects your personal data (encrypting it, as of Android 4.0), it doesn’t take long to programmatically try every possible PIN code (on iOS, the four-digit code takes ten minutes to crack).

The researchers over at Lookout Security have proven that it is possible to gain complete control of the device by having the user scan a QR code.

Google meets this development with humour as well as a challenge. Googler Stephen Lau posted this statment on his Google+ profile:

Not to bring anybody down… but seriously… we intentionally left the device unlocked so you guys could hack it and do crazy fun shit with it. I mean, FFS, you paid $1500 for it… go to town on it. Show me something cool.

And that is what hackers all round the world are working on.

About the Author

Dominik Bärlocher

Dominik Bärlocher has been working with IT subjects since 2006. The journalist relied on his affinity for all things IT during his tenures at news papers and benefited from it. At scip, he conducts OSINT researches and is an expert at information gathering.

Links

Your Blue Team may use some support?

Our experts will get in contact with you!

×
JWT Issues

JWT Issues

Andrea Hauser

CIS Controls

CIS Controls

Tomaso Vasella

Ransomware Detection, Defense, and Analysis

Ransomware Detection, Defense, and Analysis

Marc Ruef

Trustworthy AI

Trustworthy AI

Prisca Quadroni-Renella

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here