The Dark Side of Wearables: Security and Privacy Flaws Discovered
July 2018 by VPNMentor
vpnMentor has commissioned a report to test the security and privacy of three wearables in the health and fitness sectors - the results of which are unveiled today.
Digitsole Warm Insoles, Modius Headband and Ivy Health Kids Thermometer were all found to be collecting and exposing personal information, putting their users’ privacy at risk.
A breakdown of the findings can be found below:
Ivy Health Kids Thermometer is a smart and portable arm thermometer for babies and small children that connects over Bluetooth to a mobile device app which controls it.
Out of the three wearables tested, the amount of information collected by Ivy Health Kids was the highest. Hackers can personally identify the kids who use the device to take measurements as they can access their names, date of birth, gender and more. The attacker can also find out about the relationship to kids and other users of the device, potentially exposing an entire family structure and their temperature measurement history.
Perhaps the most concerning is the fact that the app’s API and portal are all served over insecure HTTP, revealing the user’s username and password to any eavesdropper.
Modius Headband is a weight loss device, intended to change the user’s body’s weight and appetite by sending electric signals to their brain. This wearable was also vulnerable to attacks, meaning that an attacker can gain information from coarse location, personal details and tracking via Facebook integration. The device also collects highly personal information such as weight, height and body fat percentage, which can easily be accessed by hackers. In addition, the Modius application requires fingerprint access, meaning that every user’s fingerprints can be exposed by hackers. With individuals relying on fingerprints to access their phones or even bank accounts, this privacy failure can result in serious risks to the biometric security of users.
Digitsole Warm Insoles are bluetooth-enabled shoe soles which enable the user to track their day-to-day and sports activities, and feature the ability to warm up for comfortability.
The report shows that hackers can easily achieve control of the wearable, and do so with malicious intentions. Hackers can increase the temperature of the Digitsole Warm Insoles to its maximum of 113°F (45°C).
The app also collects very specific location information, which continues to track the user’s location even when the app is not actively being used but is running in the background. The report also gathers that Digitsole collects Facebook data not directly given by users themselves.
With Germany banning kids’ smartwatches last year and China banning smartwatch usage in the army a few years ago, it comes to no surprise that the security of wearables remains questionable. As shown in the vpnMentor report, wearables ranging from insoles to thermometer can all be too easily compromised.
But the increased risk surrounding wearables is not stopping its rise. The overall wearables market is expected to grow from 113.2 million shipments in 2017 to 222.3 million in 2021 with a compound annual growth rate (CAGR) of 18.4%, according to the International Data Corporation (IDC) Worldwide Quarterly Wearable Device Tracker. Is now the time to rethink our approach to security and privacy when it comes to wearables?