• Part 1: Wearables – New Freedom
• Part 2: Wearables – Technology on the Body
• Part 3: Wearables – New Threats
• Part 4: Wearables – No Privacy for Your Biometry
• Part 5: Wearables – A look ahead

Wearables bring a new flood of data that can be used for malicious intents. Using biometric data, new attack vectors open up. These new attacks will be more personal and more targeted. The data is no longer the real target, the user is.

Google Glass, Nike FuelBand and other Wearables offer their users never before seen possibilities to analyse their own bodies and their surroundings. They measure the wearer’s pulse and display emails directly in front of the user’s eye. At this point in time, little seems impossible. And even though Google Glass officially prohibits facial recognition on their device, there are developers working on just that. The will not be supported by Google’s Playstore but the effort to have it installed will be minimal.

With this new technology and the expansion with new features, there are new attack vectors that can be exploited. The damage can be quite big. Not only can users lose their medical data when their pulse measuring device has been compromised but there’s the constant threat of loss of personal data when the set of data-glasses has an information leak.

Even when the devices are well secured against intruders, the data has to be transferred from the sensors or the display to another device. Most of the time, this is the smart phone that serves as a display device. From there, the data is more often than not wirelessly transmitted to a computer and from there to the internet.

Now, we’ll look at a threat assessment. We’ll be taking the role of an attacker, systematically analyzing the threat and the devices we’re going to attack. People in the security industry call this a Red Team approach.

h4 The Target: Data

Wearables, just like any other device, records data. In case of data glasses, trackers and other devices mounted on the body, these devices record a lot more data than devices we’re used to. The following table is serves as an overview on the matter, based on the currently available Wearables. As their development continues, there will undoubtedly be more data.

From the view of an attacker, it’s not only about understanding which data could be compromised, but also how this data is being processed and transmitted. Thus, we need some sort of frame of reference that answers the following questions:

• Where is the data stored?
• How is the data being transmitted?
• In which device is the data being processed?
• Where is the data visible to the user?

Data Security in Storage

Answering these questions, we can draw up a theoretical model that, again, is not permanent due to development of technology.

The first model’s big advantage is that the user is the only one who’s able to access the data. It is not being transmitted. The only way for an attacker to get to the data is the physical access to the device. The biggest risk for data loss is the loss of the device, be it due to theft or just simply forgetting it somewhere. So that strangers can’t access data easily, there’s a possibility of implementing a password or a PIN. The disadvantages of the device are obvious: Big memory on small space is expensive. The display of the device just might be too small to display complex datasets and the device itself might not be packing enough processing power to execute data processing.

In the second model, the data is being transmitted from the Wearable to the smartphone where it’s being saved in an app, where it also gets processed. Just like in the first model, the loss of data is the biggest security risk, which in this case also includes the interception of traffic during transmission. When it comes to security measures, the device has to offer more. In addition to PIN and password, there’s the possibility of wiping the device remotely from a PC. For the end user, this model presents more advantages. Due to the bigger display of the smartphone and bigger memory of the device bigger sets of data can be processed and displayed. On the other hand, this offers a bigger attack surface.

In the third model, the user has the most advantages. The data is being transmitted to a server and stored there as well as processed. The data is being protected from physical loss and can be subject to complex processing. But: The user usually gives up the right to his data. Because the data is being stored on the server of an IT-service, which is mentioned in the device’s vendor’s privacy statement and the terms of use. But end users are often unaware who can and may access their data.

The New Attacks

This is where the classical, technical analysis ends. With the recording of pulse, sleep and other data attackers have more of an attack surface than ever. The attacks will become increasingly targeted, more personal and directly affect the wearer’s health.

It is no longer the data that is the target. It’s the person supplying said data. The pule frequency and the sleep analysis becomes just a means to an end.

Even today, this is happening. During press conferences, people are watching the speakers for even the minutest detail. Is the speaker looking to his upper left? What does she do with her hands? Is the posture relaxed? What about voice modulation and intonation? Choice of words? Insights gained from these analyses helps make business decisions. In criminal cases and daily talk shows the lie detector is an often-used means to catch a crook or reveal that someone’s had an affair. In the TV show Lie to Me, there’s Tim Roth playing the role a man who is an expert in this kind of analysis. He uses the Facial Action Coding System in order to find the truth. Websites offer courses to pick up women and base their teachings on being able to read body language as well as other subtle signals. Others “analyse presentations and speeches”: http://mannerofspeaking.org/2011/06/02/analysis-of-a-speech-by-bruce-aylward-2/ for fun.

With the introduction of Wearables, this information will be much more precise, because there suddenly is a new flood of reliable data available. However, we don’t’ have any precedence in this matter, so we need to escape to theoretical scenarios.

• A business mogul is in bad health. If the competition knows that the CEO of their rival will have to step down in a few months, then it can use this information to plan and exploit the power vacuum that will occur once the CEO has retired and the new leadership is being implemented.
• Negotiations can be drawn out, because the negotiation partner, an older gentleman, has issues with his bladder. He needs to use the toilet every so often. If he really needs to go, then he’s far more likely to make mistakes. Also, a lot of water is being served during negotiations.
• A journalist could use the pulse data of her interviewee to detect lies. She could figure out when to push a subject and ask more questions if she knows when the person answering her questions is cramping up. This would even work after the first interview, so she wouldn’t even need a live feed. Journalists today do this, by the way, as seen in this news interview where a journalist interviews a man who will eventually be convicted of killing the woman whose death he’s being interviewed about. The journalist pushes the matter, asks complicated questions, repeats them. She doesn’t know that the man in front of her is a murderer, but she knows that something’s weird.

The mitigation of this problem in the business world is simple: Executives shouldn’t wear Wearables or deactivate functions that measure biometrics. For this to happen and to implement a business-wide policy, there needs to be a rethinking of security so that security goes beyond password and server security.

Even the manipulation of data flowing from Wearable to processing device, be it smartphone or computer, carries new risks. Users can be told that they’re unwell to which they’ll react accordingly. Or the data can tell their users that they’re in the best of health while they’re being sick.

Rethinking on Both Fronts

With the new attacks, it’s not just the defenders – called the Blue Team – who need to rethink their strategy. Because if an attacker is after the feed of one person, the attacker has no use for all the entries in a database. Because several thousand feeds of pulse rate and sleeping phases are useless. The attacker needs the data of one person. The attacks will become more targeted and more precise. This means that prior to the actual attack, Social Engineering attacks might increase. This, in turn, leads to more rethinking on the side of the Blue Team:

• Personnel needs to be taught better. Holding the door open for who they think to be colleagues suddenly becomes a no-go.
• Badge systems, keys and other access controls become increasingly important.
• The personal surroundings like friends and family and even people like hairdressers of key personnel in an enterprise will have to be briefed.
• Social media etiquette will be important for not just key personnel but also for everyone in contact with said person. Because even if you don’t have a Facebook or a Google+ profile, you can have a web presence.
• The media presence of executives needs to be strictly monitored. Even appearing at informal social gatherings or in personal portraits in news magazines are suddenly potential dangers.

In brief: Any and all information about a key executive and will be used against him or her.

Classic Attacks Persist

Despite all this, classic attacks will still be a relevant threat that needs protecting against. The attack surface changes only in size with the introduction of Wearables. New attacks are added, but the old ones don’t go away. In order to execute well-known attacks, Red Team needs to know more than just the data mentioned above but also the connection types. Generally: Radio transmissions of all kind, WLAN, Bluetooth as well as ANT among them, have two inherent weaknesses.

1. Everyone in range of the broadcast can receive signals.
2. Everyone in range of the broadcast can transmit signals.

In the first model, there’s no data transmission, so there’s no attack vector there.

The second and third model however, use one of the following technologies (See part 2 of this series)

• Bluetooth
• Bluetooth Low Energy: More energy efficient version of Bluetooth
• ANT/ANT+

These technologies have in common that they build a wireless personal area network (WPAN) between Wearable and another device. The range of this broadcast is characteristically small at less than 30 meters.

In the third model, there’s an additional connection to the WPAN. The smartphone connects to the internet. This can happen using a WLAN connection or using mobile data. In this model, the protection of the broadcast is not enough to protect users against access by third parties. To achieve more security, there are the following possibilities:

• HTTPS with TLS
• HTTPS with SSL
• VPN connection

In all these cases, the entire communication is encrypted end-to-end and is at no point happening in clear text.

Attack Vectors

There are, summarizing, three possible vectors of attack:

• Transmission: An attacker tries to get the data while they’re being transmitted from Wearable to smartphone or from smartphone to computer or to the internet.
• Processing: The data is being manipulated while it’s stored in memory or stolen from there. This memory can be in the Wearable itself. Or in the smartphone or on the server of the manufacturer.
• Display: An attacker manipulates the data output or accesses the data via the display.

This opens up the possibility of these attack as well as others:

• Denial of Service: The connection that the Wearable uses in order for it to function are being systematically jammed, overlaid or influenced in any other way. This disables the user from actually using the device.
• Eavesdropping: This is the basis for the New Attacks. The data of a user is being recorded without the target’s knowledge. Eavesdropping allows for an attacker to launch a Replay-Attack, which sees the same data transmitted again at a later point. Or message modification attacks that see modified information being transmitted to the user.
• Man in the Middle: (MITM) During such an attack, Red Team diverts all traffic between the devices that communicate to a server that is under Red Team control. Therefore, while the traffic is not being interrupted, Red Team has complete control over the flow of data and the data can be read as well as modified.

Reality

These scenarios are not flights of fancy as proven by security researchers and hackers around the world. Whenever a new technology becomes available, the challenge is on. Hackers everywhere try to break open the new systems and modify them to suit their needs. Technology consultant Jay Freeman aka. Saurik has managed to hack Google Glass using an exploit.

According to his report, Freeman managed to use a backup exploit for Android 4.0.x on his pair of data glasses. Using this exploit, he was able to bypass the feature that deletes all personal data on Glass in case of compromise and tampering. By running his own code on Google Glass, he has successfully proven that malware can be loaded onto Google Glass. This can be used to launch most if not all of the attacks described in this article.

The best part: Freeman doesn’t replace any software on his pair of glasses, but changes existing software. He would theoretically be able to smuggle an attack past a user.

He draws up the following scenario:

This means that if you leave your device in someone else’s hands, and it has an unlocked bootloader, with just a minute alone they can access anything you have stored on it. While on most Android devices there is a PIN code that protects your personal data (encrypting it, as of Android 4.0), it doesn’t take long to programmatically try every possible PIN code (on iOS, the four-digit code takes ten minutes to crack).

The researchers over at Lookout Security have proven that it is possible to gain complete control of the device by having the user scan a QR code.

Google meets this development with humour as well as a challenge. Googler Stephen Lau posted this statment on his Google+ profile:

Not to bring anybody down… but seriously… we intentionally left the device unlocked so you guys could hack it and do crazy fun shit with it. I mean, FFS, you paid $1500 for it… go to town on it. Show me something cool.

And that is what hackers all round the world are working on.

About the Author

Dominik Bärlocher has been working with IT subjects since 2006. The journalist relied on his affinity for all things IT during his tenures at news papers and benefited from it. At scip, he conducts OSINT researches and is an expert at information gathering.

Links

• http://face-and-emotion.com/dataface/facs/description.jsp
• http://forum.xda-developers.com/showthread.php?t=1886460
• http://www.nametag.ws
• http://www.puatraining.com
• http://www.saurik.com/id/16
• https://blog.lookout.com/blog/2013/07/17/hacking-the-internet-of-things-for-good/
• https://plus.google.com/+StephenLau/posts/ERUJ8e1yKRd
• https://www.youtube.com/watch?v=KIroLgiCyP8