Smartphones already gather a ton of data about our lives.
Depending on the apps you use and the security settings on your phone, it can tell where you’ve been, who you most recently spoken with, and the passwords to your most private and personal accounts. It also has all of your photos.
But that kind of data is going to look quaint compared to what’s about to happen.
A new wave of wearable devices are collecting information about you that’s even more personal. Fitness bands like the Jawbone UP, Fitbit Flex, and smartwatches like the Moto 360 can measure your heart rate, your precise steps, how you’re sleeping, your sweat, and what you’ve eaten today in addition to your location. The Apple Watch, which is due in 2015, can track your heartbeat.
At the same time that technology companies are looking to track the details of our personal health, we’re getting daily reminders that nothing is ever secure from hackers. Vulnerabilities such as the Heartbleed bug, the more recent “Shellshock” (or “Bash”) bug, and the iCloud hack that happened last month show exactly what hackers care capable of if they know what they’re doing.
If wearable gadgets are going to become mainstream products, then we’re going to have to wrestle with some serious questions. Are we putting our personal information at risk by connecting our phones to fitness bands and smartwatches? If so, does anyone even care to steal statistics about your heart rate or calories burned? Is it worth the risk?
‘Hackers already know how to do it’
According to two security experts, wearable computing devices can get hacked, but it remains unclear as to whether or not there’s real motivation in stealing data from wearable devices just yet.
“Getting the information is very simple,” Kevin Haley, director of product for cybersecurity firm Symantec’s security response division. “And often, it’s an old-fashioned way that’s most likely.”
To steal information from a wearable device, a hacker probably wouldn’t even have to infiltrate the device itself or even its app. Since many smartwatches and fitness bands allow you to store information in the cloud, there’s opportunity for hackers to grab that information without even breaking into your device, Haley said.
“They have been around for a while, and hackers already know how to do it,” Haley said.
But there are other issues that extend beyond simply stealing information. Devices like fitness trackers could potentially allow tech-savvy burglers to track your location.
As Symantec noted in a recent study, for example, wearable devices can easily be tracked with a portable scanner. In fact, it’s so simple Symantec said that anyone with “basic IT skills” could probably pull it off.
Although most fitness trackers don’t come with a GPS sensor built-in for tracking your location, many of them sync with your phone through Bluetooth to transfer data. This interaction process between the phone and the fitness band could potentially broadcast information about your location.
Symantec performed an experiment to illustrate how this works. During its test, the company found that a portable scanner, which would cost about $US75 to build, could be placed somewhere out of view in a public setting.
The scanner would then pick up the unique hardware address that each fitness tracker emits when syncing to your phone via Bluetooth (i.e. the code you see when your phone is scanning for devices it can connect to through Bluetooth).
Nicko Van Someren, chief technology officer at Good Technology, said the encryption protocols used for many mobile devices and wearables isn’t very strong — meaning there’s a chance that a clever hacker could steal it.
The ‘grey market’ wants to know all about you
But perhaps the bigger question is whether or not thieves would have any motivation to even steal data collected by wearable devices. The information collected by fitness bands and smartwatches, in some cases, is more about your activity and whereabouts than it is your assets (i.e. credit card numbers, baking information, etc.).
Haley notes that there’s likely a “grey market” out there that could make use of this type of health information.
“There are data brokers, insurance companies, and health care providers who potentially could create a market for this data,” Haley said. “There are a number of data brokers who are already collecting anything they can in order to further define you as a person, or add you to a group so that they can better market their data to others.”
Privacy Rights Clearinghouse also makes the same point in its white paper about privacy risks associated with fitness apps. Mobile apps, especially free ones, largely depend on advertising to make money. This means that snapshot profile of your life that you often create when registering for a fitness app (i.e. when you enter your age, gender, height, weight, diet, etc.) can seem extremely valuable for advertisers.
The risk of this happening to your data is largely dependent on the privacy policies of the fitness apps you use. Most big-name fitness apps have privacy policies that protect the user’s data, but Haley says that there are still plenty of apps that don’t have privacy policies at all.
There’s no doubt that the companies making these fitness bands and smartwatches are thinking about security and privacy all the time. Jef Holove, general manager at Basis, emphasised how seriously its parent company Intel takes both privacy and security.
“We now have an army of people just to audit our security,” he said, noting these privacy standards as one of the benefits of being part of a large organisation.
Jawbone UP smartbands use an extra layer of security in addition to standard Bluetooth encryption when communicating data between the wristband and your phone. This extra layer of security has been tested and verified by third-party app security firms, the company said.
But this ‘grey market’ may not be a problem yet
Van Someren believes the data that could theoretically be stolen from smartwatches is more sensitive, since these types of devices are usually used to perform some of the same actions as our phones. This means a smartwatch could include payment information, phone numbers and names of the people you work with, and your personal messages. Fitness trackers, on the other hand, store a more limited amount of data.
“If my fitness tracker says I’m suddenly becoming active at 11pm at night when I told my wife I’m at the office, you might not want to share that information,” Van Someren said. “But there’s a limited amount of information [that you could get from fitness trackers].”
But Holove doesn’t believe there’s a real market for the type of data that fitness trackers collect. While there’s a possibility advertisers or data brokers may find the information useful, there’s no direct severe impact like there would be if your financial information is stolen.
“In a world in which insurance rates or some other things were informed by health data, maybe someone stealing your health information could be useful in a commercial way,” Holove said. “It’s just not worth the effort from a crime perspective. Maybe in the future that will change, but I honestly don’t see it.”