What evil can you actually wreak with a hacked wearable?
Thu 26 Mar 2015
Security researcher Roman Unuchek has published an account of how he hacked his own Android Wear device with surprising ease, and left with me to ponder again the two recurrent questions regarding wearable security: why are wearable devices so easy to hack? And what can you do with the hacked access once you have obtained it?
At a glance, the second question seems to resolve the first, because the obvious answer seems to be ‘Not much’. Wearable health trackers are usually passive devices with small power sources; they observe and report on request, and even if – as Unuchek discovered – the world is full of orphaned wearables that are not currently connected to their owners’ smartphones and casting around gannet-like for any connection, all they can really tell you, assuming you can make sense of their data streams, is current ‘live’ information about the person wearing it.
To boot there is no Shodan-style search engine for wearables, since (Unuchek also observes) although the estimated range of a Bluetooth-connected common-or-garden health tracker is 50 metres, in practice connections are difficult to establish or maintain at more than 6 metres (about twenty feet). So not only are reliable opportunities limited to coffee shops, workplaces, trains and other restricted environments, but wearable devices don’t even register on Bluetooth if they are already connected to the user’s phone (or that of another hacker).
An additional problem that Unuchek mentions is the need to get an authentication response from the user at the start of the intrusion – but since wearables typically have no GUI-style interface – machine>wearer communication can be limited to as little as a minor vibration cue prompting the wearer to pair up on Bluetooth, ignorant that someone else is actually asking for that connection to be made. In practice Unuchek reports that ‘It is not difficult to make the user press a single button on the wristband. You just need to be persistent’ – and was able to connect to 54 devices in Russia, the U.S. and Mexico, in spite of what appear to be grievous security obstacles.
But he struggles (as do many security firms keen to wreak new products and traction from paranoia) to envisage calamitous ‘wearable hack’ situations, not least because the typically under-specced machines dump their users’ biometric data to the cloud so regularly, in order to clear their miniscule buffers for another hour. Whether or not the goldfish memory of so many wearables is a pragmatic consequence of ARM-style frugality, it is actually a tolerably sensible security ‘feature’ in practice. Why break into the bank if the armoured van just came and emptied the vault? Once the pulse/respiration/footfall data is resting in the cloud, hacking it becomes a more conventional web-based pursuit, with or without the aid of a ‘captured’ wearable.
“Would you like to know why your partner’s pulse rate rocketed to its coronary threshold for 19 minutes in the hour or two that s/he had to stay late at work?”
Unuchek’s examples of wearable apocalypse vary in quality – in one he suggests that store owners could monitor your hacked heart-rate as you view prices; but in a climate where we are so willing to give up our privacy for trifles, toys and loyalty points, such a scheme is far likelier to be instituted without the need to hack.
The second example, of a fraudster making your hacked wearable vibrate constantly and demanding money to stop it, is presumably humorous – the hacker would perforce be within eyesight, and likely to get more cash from a straight mugging. Additionally, unless the hacker has just broken into your Tag Heuer love-magnet, you’re likely to end up better off just trashing the device and buying a new one.
Even a passive monitoring system has some kind of a BIOS, capacity to reboot and/or functionality to run numbers, so an invader could in theory attempt injury-inflicting harm by borking your BIOS or making your sports band calculate Pi to the last digit until its lithium-ion battery explodes; of course the batteries depicted in that video link are gargantuan compared to those powering your pulse-meter – if it even uses batteries. Either way, the attacker will need to be practically cuddling the victim, or pressed real hard against a nearby wall. Again – if you got to shoot, shoot – don’t hack.
All this assumes the limited spec and relatively low connectivity and scope of Gen #1 wearables. But the next generation, led – if not dominated – by the iWatch, is likely to complicate the matter by adding storage, i.e. more than one hour of historical information on your day’s activity. So the security-friendly practice of cloudy data dumps could be traded off against the customer wish to gen up to the day’s activity without running mobile data through a semi-intelligent sweatband.
With a reasonable amount of data stored, there is a little more scope for mischief – or, perhaps, vengeance: would you like to know why your partner’s pulse rate rocketed to its coronary threshold for 19 minutes in the hour or two that s/he had to stay late at work? (in fairness, PowerPoint presentations can also have this effect)
Most of the other possible utilities of a wearable hack are of a biometric nature – ‘lie-detector’ tests by bosses, dates, and sundry enemies – few of which are likely to be motivated to take the great pains necessary to hack your wrist buddy. The wearable’s most useful vulnerability, if it can be accessed and exploited, would be in any weakness in its encryption techniques as it cloud-dumps, possibly affording reusable keys, or at least the chance of a MITM snoop.
But Unuchek’s final point is valid – that it would be a mistake to leave Gen.#1 security in charge of Gen.#2 hardware. The NSA are probably counting on that.