My precious: security, privacy, and smart jewelry
Credit to Author: Jovi Umawing| Date: Wed, 14 Nov 2018 17:27:23 +0000
Emery was staring at her computer screen for almost an hour, eyes already lackluster as the full-page ad on Motiv looped once more. She was contemplating whether she’d give in and get her boyfriend Ben a new fitness tracker as a present for his upcoming marathon. The phone app he was currently using worked, but Ben never got used to wearing his iPhone on his arm. In fact, the weight of it distracted him.
Emery thought that something lightweight, sturdy, and inconspicuous was what he needs as a replacement. And the Motiv Ring—in elegant slate gray, of course—seemed to be the best option. But for $199, she immediately stepped back. Admittedly, the price tag tempted her to go back to cheaper options.
Reaching for her coffee mug, Emery was reminded of the weight of the Ela Bangle around her wrist. Ben had given it to her as a welcome-home present after her two-week medical mission. He had called it a smart locket, one you can’t wear around your neck. He knew she got homesick easily, so Emery was ecstatic when Ben had shown her photos and audio messages near and dear to her all saved on its rounded-square stone.
At least that was what the brochure said. In reality, her personal files were stored in the cloud associated with the Ela.
Although Emery could only rave about her smart locket, she couldn’t help but wonder if anyone else could see her files. She’s as techie as the next nurse in her ward, but stories of hacking, stolen information, and locked out files were frequently discussed at the hospital, making her realize that owning technology from a nascent industry can put one in a precarious position.
Emery and her current situation may be fictitious, but her dilemma is real. Smart jewelry has real appeal, but it doesn’t come without risks to security and privacy.
Whatever enamored them, potential buyers would be wise to consider this one, significant detail before they make up their minds: data. Mainly, what happens with the data they freely allow their smart jewels to monitor, collect, analyze, and store. Could these be accessed, retrieved, transported, or used by anyone who has the skills? Could data leak on accident or because of simple manipulation of certain elements (such as incrementing the user ID)? These are some questions we need to continue asking ourselves in this age of breaches.
Not only that, the data collected about a person’s health and well-being is yet another trove that should be under the protection of a statute like HIPAA—but isn’t. It’s no wonder that lawmakers and those working in the cybersecurity and privacy sectors have expressed concern regarding the evident lack of security of not just wearable technology, but the Internet of Things as a whole.
How smart jewelry works
Smart jewelry, or wearable jewelry, is a relatively new form of wearable technology (WT) capable of low-processing data. And like other WT, it’s generally not a stand-alone device. It requires an app to be paired with your smart jewelry so it can do what it’s designed to do. In a nutshell, this tandem is how smart jewelry—and wearables as a whole—works.
Wearable jewelry that acts as a fitness tracker usually follows the standard model below:
- Tracking of data using sensors in the wearable, such as an accelerometer, gyroscope, tracker, and others.
- Transmitting of data from the wearable to the smartphone via Bluetooth Low Energy (BLE) or ant plus (ANT+)
- Aggregating, analyzing, processing, and comparing the data in the smartphone.
- Syncing of data from the smartphone app to its cloud server via an Internet connection.
- Presenting data to the user via the smartphone.
In-depth processing and data analysis also happen in the cloud. Manufacturers offer this additional service to users as an option. As you can tell, this is how service providers monetize the data.
Nowadays, smart jewelry is becoming more than just a pretty fitness tracker. Some already function as an extension of the smartphone, providing notifications on incoming calls and new text messages and emails. Others can be used for sleep or sleep apnea monitoring, voice recording, hands-free sharing and communication, unlocking doors, or paying for purchases. A small number of smart jewelry can even act as one’s personal safety device, train or bus pass, bank card, or smart door key.
But while the jewelry gets blingier and the processor—the wearable jewelry’s core computer—gets smarter with time, one is likely to ask: Is smart jewelry getting more secure? Is it protecting my privacy?
Unfortunately, the strong, resounding answer to both is “no.”
Security and privacy challenges faced by smart jewelry
Because of the processor’s size—a necessity to make wearables lightweight, relatively inexpensive, and fit for mass production—manufacturers are already limited from adding any security measure into it. This is an inherent problem in a majority of wearable devices.
In fact, it is safe to say that some vulnerabilities or security shortcoming we find in wearable devices can also be found in smart jewelry, too.
In the research paper entitled, “Wearable Technology Devices Security and Privacy Vulnerability Analysis,” Ke Wan Ching and Manmeet Mahinderjit Singh, researchers at the Universiti Sains Malaysia (USM), have presented several weaknesses and limitations within wearable devices that we have grouped into main categories. These are:
- Little or lacking authentication. A majority of wearables have no way of authenticating or verifying that the person accessing or using them are who they claim they are. These devices are then susceptible to data injection attack, denial of service (DoS) attacks, and battery drain hacks. For gadgets that do have an authentication scheme in place, usually, the system isn’t secure enough. This could quickly be taken advantage of by brute force attacks.
- Leaky BLE. Because of this, persons with ill intent can easily track users wearing smart jewelry. And if a location can be determined with ease, then privacy is compromised, too. Other Bluetooth attacks that can work against wearables are eavesdropping, surveillance, and man-in-the-middle (MiTM) attacks.
- Information leakage. If one’s location can be determined with pinpoint accuracy, it’s possible that hackers can pick up personally identifiable information (PII) and other data just as easily. Information leakage also leads to other security attacks, such as phishing.
- Lack of encryption. Some wearables are known to send and receive data to or from the app in plain text. It’s highly likely that smart jewelry is doing this, too.
- Lack of or incomplete privacy policy. Some smart jewelry manufacturers make clear what they do to information they collect from users visiting their website. Yet, they hardly mention what they do to the more personal data they receive from their wearables and app. Their privacy policy does not (or seldom) say what is being collected, when is data collected, what will the data be used for, or how long the data can be kept.
- Insecure session. Users can access their smart jewelry via its app, and its app saves user accounts. Account-based management is at risk if its weakness is in the way it manages sessions. Attackers would be able to guess user accounts to hijack sessions or access data belonging to the user.
It’s also important to note that, unlike smartphones and other mobile devices, smart jewelry owners have no way of tracking their wearable jewelry should they accidentally misplace or lose it.
How smart jewelry manufacturers are addressing challenges
The European Union’s introduction of the General Data Protection Regulation (GDPR) has created a tsunami effect on organizations across industries worldwide. Manufacturers of wearable devices are no exception. Owners of smartwatches, smart wristbands, and other wearable gadgets may already have noticed some tweaking to the privacy policies they agreed to—and this is a good thing.
When it comes to security and privacy, much to the surprise of many, they are not entirely absent from smart jewelry. Manufacturers recognize that wearables can be used to secure data and accounts. They also understand that their wearables need to be secured. And a small number of organizations are already taking steps.
Motiv, the example we used in our introductory narrative, has already incorporated in their devices biometric and two-factor authentication schemes, which they recently revealed in a blog post. The Motiv Ring now includes a feature called WalkID, a verification process that monitors a wearer’s gait. It runs continuously in the background, which means WalkID regularly checks for the wearer’s identity. The ring can also now serve as an added layer of protection to online accounts that are linked to it. In the future, Motiv has promised its users password-free logins, fingerprint scanning, and facial recognition.
Diamonds—and data—are forever
It was in January of this year that Ringly, a pioneer smart jewelry company, bid farewell to the wearable tech industry (probably for good) after only four years. Although it wasn’t revealed why, one mustn’t take this as a sign of a dwindling future ahead for wearable jewelry. On the contrary, many experts forecast an overwhelmingly positive outlook on wearable tech. However, the wearables industry must make a concerted effort to address the many weaknesses found in modern smart jewelry.
So, should you bite the bullet and splurge on some smart jewelry?
The answer still depends on what you need it for. And if you’re seriously intent on getting one, remember there are security measures you can do to minimize those risks. Regularly updating the app and the firmware, taking advantage of additional authentication modes if available, using strong passwords, never sharing your PIN, and turning the Bluetooth off when not needed are just some suggestions.
How to choose from smart jewelry options plays a key role in safety, too. Make sure that you select a brand that takes security seriously and shows this by continuously improving on the flaws and privacy concerns we mentioned above. First-generation tech is always insecure. What consumers must look out for are future improvements, not just on the look and functionalities, but also how it protects itself and your data.
Lastly, it’s okay to wait. Seriously. You don’t have to have the latest smart ring, necklace, or bracelet if it doesn’t take care of your data or leaves you open to hackers. It would be wise to settle for other alternatives that would address your needs, first and foremost, and make it coordinate with your attire second. After all, the smart jewelry industry is relatively young, so it still has a long way to go. And with every advancement, we can only hope that smart jewelry comes with beefier security measures and privacy-friendly policy implementations.
As for wearables in the business environment—well, that’s another story.
The post My precious: security, privacy, and smart jewelry appeared first on Malwarebytes Labs.