During the COVID-19 pandemic, many governments have been turning to IoT solutions to help fight the disease. These solutions range from the kind of contact tracing apps that have been deployed in SE Asia to the fever detection technology that is now being promised for U.S. hospitals.
In this context, security professionals have been quick to raise concerns about the security of these solutions. They've pointed out that there remain many video conferencing vulnerabilities, and hospitals face major threats when it comes to cybersecurity. In addition, these threats are exacerbated by the widespread use of biometric IoT devices, which remain an insufficiently secured part of many IT environments.
These concerns are not new. Many analysts have warned about the privacy implications of biometric IoT devices – and particularly wearable fitness devices – for many years. In truth, however, the potential risks of these devices go far beyond the privacy intrusion they represent for the everyday consumer. They also present a major source of vulnerability for business and corporate networks.
In this article, we'll look at why this is, and what you can do to mitigate the threat of wearable fitness devices.
The Threat
The threat that wearable fitness devices present to business networks stem from a number of factors. This is why, in August 2018, the Pentagon banned the use of fitness trackers, each of which possesses geolocation features, on military bases due to their exposure to data leaks. They had recognized that this security problem is presented not just by a fitness tracker, but by its whole ecosystem.
The most basic element of this risk is that the design of these devices typically prioritizes easy connectivity over security. The connection between a wearable fitness device and an employee’s smartphone is relatively secure – because most devices make use of end-to-end encryption – but the same cannot be said for the insecure cloud storage that these data are then stored on.
Another element in the risk profile associated with these devices is the sheer number of them now in use. Recent research shows that the number of fitness trackers in use is expected to reach 560 million in 2021, and for many companies, this means that the majority of their employees will be utilizing these devices.
Third, the way in which these devices integrate with other online accounts can make them a particularly prized target for hackers. Most employees will link their fitness device to their social media account, use their personal email address as a backup authentication system, and may even integrate their workplace accounts with these devices.
A Lack of Knowledge
Many of these threats are caused by a lack of knowledge, at least among the average staff member, of how wearable fitness devices actually work. This is understandable, given that many of the apps that these devices run through hiding much of their complexity behind stylish Uis.
The threat of wearable fitness devices is not so much that an attacker will get access to the heart rate or CO2 level of your employees. Rather, it is that by gaining access to such a device an attacker can gain access to more critical personal and commercial information. Many fitness wearables now allow their users to access their accounts at select financial institutions and make payments, for instance, and so bank details can be compromised in this way.
As Michael Lynch, the Chief Security Officer for InAuth, a cybersecurity company, recently pointed out, “even though the wearable itself may not be the primary target of an attack, its link to a mobile device creates another point of entry for cybercriminals to exploit – especially since wearables security is a relatively new frontier.”
Protect Yourself
The risks presented by wearable fitness devices have historically been difficult for IT professionals to combat because these devices are typically not included within corporate cybersecurity strategies. In BYOD environments, many employees will be willing to give the IT department oversight of their laptop but will regard interference with their personal fitness device as an intrusion.
For this reason, the only practical way for IT departments to limit the threat of these devices is through staff training and rigorous BYOD policies. Employees should be taught, first and foremost, how to set up a strong password for their device, and the way in which this device interacts with their other devices should also be explained. Going further, they should also be taught how to secure their home IoT network, and how to install a VPN for their smartphone. All of these steps can limit the vulnerability of their devices.
Secondly, businesses should enact a strict policy when it comes to when, how, and where personal devices can be connected with corporate networks. Employees should be prohibited from connecting their wearable fitness device to their work phone, work laptop, and any other system that they use professionally. Ideally, workplace and personal device ecosystems should be completely segmented, and indeed this is the approach that the Pentagon recently took. However, for small businesses, this will likely remain a target, rather than a practical reality, for some time to come.
The Future
Though the risks associated with wearable fitness devices are not new, they are likely to become more prominent in the coming years. In the context of the current crisis, some analysts are pointing out that COVID-19 is driving increased industry consolidation, and that device integration will therefore likely accelerate in the next few years.
For this reason, it is crucial that businesses of all sizes take immediate steps to limit the potential damage that can be caused by their employee's personal devices. Education on the genuine dangers of wearable fitness devices is a great place to start.
About the Author:
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.
