How secure are wearables, anyway?

Whether you're using that new wearable for yourself or managing IT at a company where fit trackers and smart watches are becoming more popular, wearables just might be the next big bullseye for cybercriminals.

wearables jail

Congratulations on getting that new wearable device over the holidays. You're on your way to a new, trackable, data-filled life. 

Or you’re about to be hacked. 

"Every digital technology, as its use has expanded, has drawn attention from hackers and criminals," says Stephen Cobb of ESET. "So if wearables get to the point where criminals can see a way to exploit them for gain, they will try to do that." 

In his role as senior security researcher at ESET, Cobb says he hasn't seen that happen yet, but that doesn't mean it isn't on the horizon. 

He points to a recent issue with VTech, which makes a wearable for kids. Its customer database, which includes the information of 5 million parents and 200,000 children, was recently compromised

"Some of their toys took photographs and some of those photographs were shared on their back-end system," Cobb says. "In the case of a wearable, this could have location information, it could have health related information." 

[Related: 13 wearable tech trends to watch in 2016] 

Some good news amid the dark: Consumers already have a healthy dose of skepticism about wearables. According to a study conducted by Auth0, 52 percent of consumers don't think that IoT devices have the necessary security that they need. So consumers are going to get into the wearable market already being on guard about the security of their device. 

However, as the VTech breach shows and as Cobb predicts, it's not the devices themselves that are the weak link in the chain. It's the databases where that information being collected is stored. 

"If somebody was going to target the data that a wearable company collected about its consumers, typically criminals are looking for a name, address, personally identifiable information," he says. They could do a wash of things with that information. Also, if they have location information that's updated in real time, they could be looking for when you're not home, which could make you a burglary target -- much like the earlier days of Facebook when criminals targeted people who were posting vacation pictures while still on vacation. 

Most likely, Cobb says, companies will build the necessary security around their databases because otherwise they could face wrath of the Federal Trade Commission. 

He stresses that consumers should do research on the companies that they're getting wearables from as well third-party apps that use the data, too, and to read their privacy policies to see what's being done with that data. If the app doesn't have one? Move onto another app. 

The wearable workplace worry

If you're the CIO of a company that deals with sensitive information -- whether that's health information, company trade secrets, financial data, attorney-client privilege -- there could be legal repercussions for letting wearables into the workspace. 

"I'm going to be worried about things like Google Glass and cameras on smartwatches and anything that's either able to record audio or visual," says Mark McCreary, chief privacy officer and partner at Fox Rothschild LLP. "That's your primary concern as far as protecting your own data." 

Even if employees are recording without thinking anything of it (making a goofy video about totally unrelated to work but at work, for example) that video or audio could have sensitive information in it and be uploaded into different places – like a cloud – that are not as secure as your own company's systems. 

"It's about there being multiple copies. It's about not having control of the data," McCreary says. He likens it to employees using Dropbox at home. Copies of the information in that Dropbox are no longer just at work. The same may be true with what wearable are picking up. 

And that's not even getting into people who may come into your company's office with the intention of recording and stealing information (remember, the Target hack happened because of a heating and air conditioning company). It's a lot less obvious that they're doing that if they're a wearable than if they were to take out their phone and hit record. 

In those cases, McCreary says, especially if your company deals with sensitive information, it may be worth banning wearables that have the capability to record entirely in the workplace, or not allowing them in areas where sensitive information is out in the open and being discussed. 

The HR wearable angle

Some companies are giving out tracking devices like Fitbits to their employees as part of wellness programs. While the intention behind that decision might be a good one, Beth Zoller, legal editor at XpertHR, says that it presents possible human resources and legal issues in terms of who gets to see that data. 

"There are invasion of privacy issues," she says, especially if the employer has access to health information of an individual. Every Fitbit except the Zip, for example, records activity but can also record sleep patterns, which an employee may not want an employer to have. 

A company-given wearable also raises issues of what is personal time and what is private time. "There is the risk of employees who are wearing wearable devices that the lines between work and nonworking time is a blur," she says. "The employer might be able to pay overtime." 

She adds that if a device records video or audio, employers need to make sure that they are not accessing information that they do not have privilege to, such as those having to do with union activity, or else they risk running up against the National Labor Relations Act

The best way to handle wearables in the workplace, says Zoller, is to "create a policy as to what the employers' position is going to be, how employees are going to be able to use wearabales, and also train employers and supervisors and employees" on how wearables can and cannot be used at work. They've also published a guide to wearables on their website. 

Wearables are a big industry, but still shiny and new, and are bound to be tested by the hacker world, even if we don't know how, when or where. "Every wave of technology gets scrutinized for weakness and weaknesses that are found are exploited," says Cobb. "It's certainly an area we need to keep an eye on for emerging threats down the road.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Related:
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.