Lawrence Garvin, head geek at SolarWinds, tells PCR of the increasing security risks presented by wearable devices as 2014's 'must-have' tech becomes ever-more prevalant...
Wearable technology has been around for longer than you might think.
The simplest, and perhaps the oldest, example is the wristwatch; however, the medical services community has provided us with several devices over the years that might also be considered as wearable technology. The hearing aid is one of the most ubiquitous examples – implanted devices such as pacemakers and cochlear implants can also be included.
What we’re on the leading edge of now, though, is the introduction of inter-device data communications. To some extent this already exists, although typically in the form of a one-to-one communication; some sports and health devices have Bluetooth capabilities and can dump data collections to your PC, tablet or phone, where additional software processes and presents that data for consumption.
The ‘ultimate’ wearable in the ‘Internet of Things’ scenario is a biometric monitor that can be worn on the wrist. It knows when you have been exercising (or maybe just working hard). It can detect that your body temperature is a bit warm, and then send a message to your home thermostat to adjust the temperature. The home thermostat checks the biometric monitors of other residents in the home and determines an optimal compromise for all persons considered, also taking into account the time of day, the outside weather and the amount of energy to be consumed or saved as a result of the proposed temperature change inside.
All of this sounds exceptionally exciting, until we remember the story that broke in early January about a botnet already running on Internet-connected appliances and devices. In that instance, the primary implication was the abuse of privately owned devices to generate spam emails, but the fact that such devices can be commandeered in such a way should be cause for grave concern.
If they can be usurped to send emails, what else can they be usurped to do? How far can you trust non-sentient device ‘A’ to send a responsible request (or sensitive data) to non-sentient device ‘B’? How much more critical does it become when one of those devices is a wearable device?
We can group wearable devices into two functional groups. The first group is devices that monitor the state of our body, our location, direction, movement, etc., and may share that information with other devices. The second group is devices that provide direct assistance to our body, or may even be able to control the physiology of our body.
Both groups can be susceptible to intrusions and usurpation. While the first group may not be able to do any direct physical harm, it could be capable of doing so indirectly. The device may provide inaccurate information that results in an inappropriate voluntary response on the part of the wearer, or if the device shares that inaccurate information with another device, it may result in an inappropriate response from another device.
The second group is possible even more critical. Earlier I mentioned hearing aids and pacemakers; it’s been quite some time now that it’s been possible to perform remote monitoring of cardiac management devices. What catastrophic results could occur as a result of a physiological control device being infected with malware, or being usurped – even if for the seemingly innocuous purpose of sending email spam?
A secondary consideration arises when employees and guests bring wearable devices into the workplace. What type of connectivity will exist between the wearable device and the corporate networks?
The good news, for the moment, is that a lot of this is simply not possible yet. For the most part, wearables have restricted their communication methodologies to Bluetooth, but Bluetooth isn’t the most secure communications channel either. More sophisticated devices, such as Google Glass, are Wi-Fi enabled – meaning instant internet connectivity.
It may well be that the industry needs to develop a new, more robust and secure, communications channel to support ‘thing’-based communication – other than wireless networks used to connect to the internet or Bluetooth networks typically used by much less innocuous devices such as keyboards, trackballs and telephone headsets.
Wearable devices and the ‘Internet of Things’ may well be one of the most significant dichotomies of the moment. As a technology it has existed for dozens of years; however, the entire realm of inter-device communication is totally untested, and should be untrusted, until appropriately secure communications technologies are developed to ensure the integrity of device-to-device exchanges.