Wearables are only secure until they become worthwhile hacking

If you're looking for peace of mind about your data – don't read this
​How safe are our wearables?

Wearables and security aren't natural bedfellows, and every few months a new headline emerges about big-name devices that don't make the grade in terms of data privacy. While a recent study revealed that Pebble and Microsoft boasted the most secure wearables, it's not always clear exactly what the real-world risks are for those of us wearing devices susceptible to hackers.

Dirty data: The worrying potential of our wearables

From your email account to your smartphone, there are already an incredible amount of devices for hackers to target. With wearables and their increasingly personal nature, the argument goes that fitness trackers and smartwatches are the latest potential goldmine for cybercriminals to tap into.

Security researchers have proved that it's possible to snoop on the devices we're wearing on our bodies with the right code and enough determination — so just how concerned should we be?

In an effort to find out just how safe (or otherwise) today's wearables are, we've spoken to those in the know from all areas of the security spectrum.

Don't panic...yet

The awkward truth is that while wireless connectivity is convenient, it's also hackable.

As a variety of studies have proved, including this one from Kaspersky Labs researcher Roman Unuchek, it is technically possible to spy on wearable devices in a gym or coffee shop.

Right now, it's highly unlikely that anyone who isn't a security researcher is actually going to bother to try. The few drops of data available are not worth the challenge of trying to grab them — it's too much effort for too little reward.

Read next: The quantified self, what are the consequences?

"Current wearables have a limited attack surface," Liviu Arsene, Senior E-Threat Analyst at Bitdefender told us, playing down the risk of a real-world hack but warning that the danger would increase. "Future wearables will likely behave as current mobile devices, making them far more appealing for a cybercriminal."

Arsene explained that only when the fitness tracker and smartwatch market becomes more mature will cybercriminals consider it worth targeting. And in the short term users should focus on privacy, and where their data is being shared.

The big targets for hackers

Your wearable manufacturer's cloud systems are one target for hackers. If you then sync that data with another third-party app, that's two targets for hackers to go after.

With so many people's personal data at stake, how seriously are the wearable giants taking security?

"We fully respect the privacy of our users and Jawbone adheres to the best industry standards when it comes to protecting data and personal information," Jawbone told us. The company has had its hardware audited by a third-party security firm and sets out its data privacy policy in full here.

Representatives from Fitbit were equally keen to put customer minds at rest. "We have always been committed to protecting consumer privacy and keeping data safe," the company said in an email.

"We have spent the last several months updating our privacy policy to clarify our practices and provide transparency for our customers."

While neither would offer specifics on their data platform – it becomes an element of trust. Sony's PlayStation servers were hacked and the account details of millions of users taken – so do users trust Fitbit's to be even more secure? It's a big issues, because the potential spoils of thousands of users' email addresses, fitness data – and in some cases billing data – could be an even more lucrative prize.

Expect to fail

If the lessons of the past few years have taught us anything, it's that few organisations have the power to prevent data theft if the attackers are desperate enough.

Most of the researchers we spoke to were sceptical about the security of wearables in the long term. The general consensus is that, as with laptops or credit cards or cloud storage, hacks are to be expected.

The questions then become: what can we afford to lose?

"For most of these organisations, securing the communication is secondary to actually making the devices function," said Martin McKeay, a security expert and advisor.

"There's a lot to be concerned about with wearables going forward. I haven't seen evidence that there's been any major breaches yet, but there will be... it's going to be where the data is at and that's where the bad guys go."

"Like computers, wearable devices are built on familiar operating systems and have vulnerabilities that can be exploited," David Emm, principal security researcher at Kaspersky Lab, told us. "The problem is, since security and privacy are not a priority for developers, these devices are not being built with security front of mind."

"If wearables are not managed, there's a danger that they might become the weakest link in the chain of corporate and consumer security," added Emm.

Brian Knopf is a security researcher and the founder of BRK Security. He explained to us that firms large and small can do more to protect users: "If they can build the app and the cloud and the firmware for these devices, they probably aren't taking security and privacy into consideration," he said.

Knopf is working closely with Joshua Corman, founder of I Am The Cavalry, on encouraging companies — from self-driving car makers to wearable manufacturers — to be open about security practices and privacy policies.

"The transparency to the end user should be: which data are you collecting? And how will it be used?" Corman told us. "I think we're so enamoured by the benefits of some of these technologies that we haven't thought through the risks."

So, how safe are our wearables?

In short, they're only safe until the point where they become valuable enough to bother hacking. And when they do, no-one can promise that your data is 100% secure.

But what can you do about it? Not much says our expert:

"Be aware of what you're putting out there: do you really want to be handing off all of that data?" concluded McKeay... before admitting he'd just bought his wife a brand new fitness tracker.


What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.