Wearable devices present significant security and privacy risks

Over the past few decades we’ve seen an escalation in technological devices entering our homes and monitoring our lives. The smart phone is the obvious privacy invasion culprit, but there have been others, televisions and refrigerators embedded with internet-of-things sensors that report data back to the core company, and then the digital home assistant’s Alexa and Siri and Cortana, which represent a curious new vista in terms of home surveillance.

These puts corporations right in your home where you could interact with a helpful representative at any time, night or day. The intent was an exchange of helpful services like google search on demand, music, etc, in exchange for data. Because as it turns out, Siri and Alexa and Cortana, were all listening to us all along.

Except they were limited to one sense. Corporations realized this left them out of a significant amount of potential data and decided to bridge the gap with wearable technologies.

What are wearable technologies?

Wearable computing is the use of miniature computers or sensory devices either on, over, under or integrated within clothing. The most common form you’ll find is the smartwatch. It includes a constant interaction between user and computer, where the computer gathers information regarding what the user is experiencing as the user experiences it. The purpose is data collection, collation and presumably education of the user about habits regarding their experience.

Here’s a list of uses for wearable tech:

• Fitness applications like smart clothing, smart sports glasses, sleep sensors.
• Infotainment from smart watches, augmented reality headsets, smart glasses.
• Healthcare and medical such as glucose monitors, wearable biosensor patches.
• Industrial, police and military like hand worn terminals, body-mounted cameras, augmented reality headsets.

A list of the major players for the wearables market reads like a who’s who for the tech space:

• Alphabet
• Samsung
• Microsoft
• Xiami
• Eurotech
• Apple
• Adidas AG
• Seiko Epson

The Global Enterprise Wearable Market is valued at USD $2.89 Billion in 2020 and is anticipated to reach USD $14.09 Billion by 2027 with a CAGR of 25.4% over the forecast period. There’s definitely money to be made in this market but there are some concerns.

Privacy concerns

Wearables add to existing privacy risks already prevalent in the mobile environment by gathering additional and intimate personal information. Many wearable devices add more dimensions onto the invasiveness of smartphones. The smartphone can take pictures, record conversations and collect data in other ways, but they lack the biometric capabilities that come with certain types of sensors, which can collect real-time information about the user’s body, (including mood, habits, health status) and the user’s environment, including images, sounds, temperature, location, social environment and more.

There’s nothing intrinsically wrong with the collection of data, but it’s what happens to the information after it’s been collected that should be a cause for concern. In most cases, it doesn’t stay on the device, which produces a number of data vulnerability points to be exploited. If you consider the data supply chain at its component parts you’re thinking about a data generator, an analytics engine, maybe a service provider, and cloud security settings—each of which represent an opportunity for a determined hacker. Connecting a wearable device means exposing yourself to more risk.

Most hackers attack computer networks for the money, which can lead to a false sense of security for folks regarding their wearables. Wearable data, though, especially in professional settings like healthcare, is often tied directly to financial information, thereby raising the cybersecurity and privacy risk that wearables offer in these settings.

Even on the retail level, wearables are tied directly to apps in most cases, and those apps will have all manner of personal information beyond biometrics, including birthdays, email addresses and login information which can be used for identity theft. Lose your phone and lose your data and your privacy.

Most modern cyber security concerns aren’t necessarily from the device itself, though. Most hackers prefer low-hanging fruit in terms of data acquisition and will attempt to find weaknesses elsewhere, such as the way Fitbit was hacked in 2016 and again in 2021.

The 2016 hack wasn’t technically through any fault of the company as hackers used leaked email addresses and passwords from third-party sites to log into Fitbit user accounts, where they changed details and attempted to defraud the company by ordering replacement Fitbits through the warranty option. But it did give hackers access to customer data, which included GPS histories and data showing when a person usually went to sleep.

The company experienced a security breach again in 2021, wherein GetHealth, a New York-based health and wellness company allowed their users to connect their wearable device, medical device and app data, which contained data such as names, birthdates, weight, height, gender and geographical location, before hackers stole the data from their database, which wasn’t password protected.

Fitbit is facing multiple class-action lawsuits for the hacks, and for unrelated technical issues resulting in recalls, but Fitbit was recently acquired by Alphabet (NASDAQ:GOOGL) so it can afford it.

Beyond security

There are also a handful of questions about what’s being done with our data.

Fitness tracking technology is primed to provide health insurance companies and employers with insights into our health and habits. Recently, the Heart and Stroke Foundation partnered with Desjardins Insurance to launch a set of apps and tools to help users reduce their risk of having a stroke.

Now wearable computing products are being marketed to employers as a cost-cutting measure related to mental and physical health. In the United States, Empatica’s advertising video demonstrates its emotion-monitoring product, which is a wristband that gathers information about blood pressure, skin conductivity, body temperature and body movement in real time.

The data is collected through the user’s smartphone and analyzed to show activities that lead to stress and the locations where stress is generated.

These are beneficial uses of the technology but how far does this go exactly?

How long is it before insurance companies are refusing payouts based on biometric data retrieved from smartwatches they make you wear as part of the policy?