When wearable technology is discussed, the focus is often on the cool new gadgets on the horizon and how they will change our lives. Sometimes lost in the shuffle are the potential security risks and privacy issues raised by this new frontier. But for experts at data security firms like San Diego-based ESET, those concerns are top of mind. Cameron Camp, a security researcher at ESET, spoke with Wearables about how to protect your data as an early adopter of wearable technology.
Q: What are some of the biggest security challenges when it comes to wearable technology?
Cameron Camp: Race to market, pure and simple. If your gear misses the marketing wave and becomes an also-ran, you may be out of business. With those do-or-die pressures, features have more focus than security, especially in a crowded market.
Q: How do you resolve security threats in wearable tech?
CC: Forklift in existing security implementations; don’t try to reinvent the wheel. The problem here is that if you don’t have a staff of security ninjas – which are very scarce in the marketplace, let alone on your staff – and they get the implementation wrong, you still may have a problem. This is why third-party audits are a must, as well as an openness to what security folks recommend, especially after features have been locked in and gear is ready to ship, when this kind of advice is harder to hear.
Q: Can the biometrics collected by wearable technology actually help keep data more secure than the easily hacked passwords we’re used to? If so, how?
CC: Basically, by data-logging your heartrate over a period of time, it can create a very-difficult-to-clone “signature” that can be used with more confidence than, say, a password. Wearables represent another authentication factor, pure and simple, and the more you have, the tougher you are to hack.
Q: For many people, a big part of the appeal of wearable technology is the convenience of having your data and computing literally at your fingertips. How do you balance that desire for convenience with the need for security?
CC: If I were deciding to buy and use a wearable, I would give serious thought to what data is being gathered, and whether I’m OK with it being shared with the general public. Is there a way that data could be used by itself or in conjunction with other data to gain even more information about me? For instance, I would not be happy with a device using GPS to track my movements, as that could be used to tell when I was out of the house or when I’m sleeping.
Q: How do security experts keep on top of the vulnerabilities in the various wearable devices being released to market?
CC: The unfortunate answer is that we’re not yet aware of all the vulnerabilities and risks of the various wearable devices. All kinds of software contain vulnerabilities, but we are usually made aware of those because someone is out there looking for them. I would bet there are a lot of wearable devices out there that have not yet been thoroughly tested for vulnerabilities. Until the market begins to settle down and consolidate somewhat, that is likely to continue to be the case.
Q: Which wearable devices are the least secure?
CC: There are a lot of variables that go into this, so it’s a very difficult question to answer properly. Wearable devices that do not connect to the Internet or to your computer are the least likely to allow data to be stolen. Any time you allow data to be transmitted, you increase risk. The least-secure scenario that I could envision would be any wearable that posts your tracking and personal data publicly on a forum or social networking site.