Proving the Business Case for the Internet of Things

IEEE reveals top ten security flaws in fitness wearables

Steve Rogerson
March 1, 2016
 
The IEEE has identified the top ten security design flaws in fitness wearables. Its report undertakes a security analysis of a fictitious wearable fitness tracking system called WearFit.
 
Adoption of connected devices including cars, appliances and wearables that make up the IoT is growing rapidly. Industry analysts say that nearly half the population is expected to use wearable fitness-tracking devices by 2019.
 
The form factor of devices such as WearFit that connect people with other devices represents a new way society consumes computing technology. In turn, this makes wearables a high-priority area of scrutiny for potential software security threats.
 
While a fictitious product, WearFit’s design was based on real-world systems, including device architecture and various components, each of which present potential attack surfaces – at the device, mobile application, web site and in transit between those platforms. The report first describes how the device is designed at a functional level, independent of security, then applies each of the ten flaws in a detailed analysis of the WearFit design.
 
Based on the top ten flaws, the report advises:

  1. Earn or give, but never assume, trust.
  2. Use an authentication mechanism that can’t be bypassed or tampered with.
  3. Authorise after you authenticate.
  4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources.
  5. Define an approach that ensures all data are explicitly validated.
  6. Use cryptography correctly.
  7. Identify sensitive data and how they should be handled.
  8. Always consider the users.
  9. Understand how integrating external components changes your attack surface.
  10. Be flexible when considering future changes to objects and actors.
 
“Broadly speaking, security is a real concern whenever technology is involved,” said Jacob West, founding member of the IEEE Center for Secure Design, and chief architect at NetSuite. “While this concern shouldn’t prevent the adoption of technology, we hope that by reading this design analysis, consumers gain a better understanding of the kinds of attacks that can impact wearable fitness trackers, and the good design decisions that can prevent those attacks from succeeding.
 
“For security professionals, we highlight the importance of building security in from the design of the software all the way through the development and testing, until it is eventually brought to market. With WearFit: Security Design Analysis of a Wearable Fitness Tracker, our goal is to expand the focus to include a balanced approach that looks at design flaws and identifies ways that manufacturers can avoid vulnerabilities and bugs by the nature of the way the device is built.”