Connected Wearables – The Next Hacking Front?

Today everything seems to be connected to the Internet, and I mean everything. The Internet of Things (IoT) is moving from appliance and vehicles to wearables and human sensor technologies. Connected wearables are devices worn by a person to collect data, such as body metrics, location, and environmental information. This information can then be used to provide human experiences through devices such as smartwatches, eye glasses (Google Glass as example), or fitness and activity trackers. Like connected cars, connected wearables are designed to improve convenience and interaction within our environment.

With that said, connected wearables are rapidly gaining market share. According to Berg Insight, the market for connected wearables is entering a strong growth phase that is expected to last for some time. They predict the market will grow at a CAGR of 54.7 percent and reach 168 million shipments by 2019.

Unfortunately, these technology advancements are a dream for hackers. All of this connectivity means that the potential for data leaks, malware, or worse, will intensify, especially where mobile apps are concerned. Aside from data trolling on user behavior information (where did you go? What did you buy there?), the potential for systemic hacks that subvert a connected wearable for possible human harm is also a reality. The critical question is how will connected wearable manufacturers reduce the potential for data leaks and attacks?

As a growing numbers of companies provide connectivity solutions, the need for next-generation tools that protect against today’s demanding security threat landscape is not just a nice-to-have, but a must. We must all accept that connected wearables live in a hostile environment (i.e., a hacker’s world), and in the same way as any Internet enabled device, these connected devices are in constant danger of malicious attacks, subject to analysis, malware injection, tampering, IP theft, piracy and key extraction, and their human wearers are facing a new danger to their digital and physical self. Already, connected wearables collect all sorts of customer data, and sensitive personal information, and now, a hack could potentially impact people’s safety. A proper combination of authentication, tampering, reverse engineering and code lifting technologies can ensure connected wearables safety.

To prevent malicious attacks to software in a connected wearable, the sensor technologies need to be “hardened” to resist hacker attacks. Connected wearable manufacturers must implement a robust and efficient software protection scheme to prevent the loss of proprietary algorithms. Although there are code protection techniques on the market, many do not protect against class breaks (sometimes called “Break Once Run Everywhere (BORE) attacks”). A class break is an attack that, if successfully executed on one software instance, could be similarly applied to crack all other instances of the same software. Typically all copies of the target software have the same binary code image, enabling an adversary to develop a generic reverse-engineering scheme.

Other software protection best practices include code protection starting at the source code level and white-box cryptography.  Code protection is a tool used to “harden” software application code to prevent reverse engineering and other techniques used by cyber-criminals to gain access to sensitive information and resources contained in applications. It achieves an unprecedented level of security by applying effective integrity protection, code obfuscation, anti-piracy, and anti-debug techniques to application code; whereas white-box cryptography keeps secret cryptographic keys well hidden within app code even during runtime. 

Implementing advanced code and data obfuscation techniques, preferably at the source code level, can prevent the use of hacker techniques like static and dynamic analysis and avoid malicious modifications. Combining both code protection and white-box cryptography will achieve an even higher level of security.

— Photo credit to Ted Eytan.