Wearable devices and new health and fitness apps are among the most popular consumer electronics products out there. We all want to be fit, and mobile technology helps us be so almost anywhere - from the gym to the office to the jogging trail to the bedroom.
Maybe that’s where “a wholesale disregard” for our privacy rights truly crosses the line: the case in point is Canadian, and the multi-million dollar settlement a connected sex aid device manufacturer had to pay because of its inappropriate and unwanted recording and storage of customer’s private data – text messages, chat conversations, even device usage stats.
The remarkable sensors used in popular fitness-tracking apps and new wearable devices may be improving your, uhh, health, but they are also putting your privacy and security at risk.
There can be as many as 25 different sensors in a sophisticated smartphones, and many are intimately linked with apps that track, analyze and evaluate your daily routine and physical activity. Very handy if you want to count all the steps you’ve taken, the push-ups you’ve done or the calories you’ve eaten.
But sensors that keep track of a phone’s motion and orientation, for example, can be used to crack the four-digit PIN code that’s supposed to keep the device secure and the user’s data private.
A cyber-security report from researchers in the U.K. says they can hack a mobile device using the sensors inside, thus gaining access to a lot of information about the user.
As part of their research, researchers embedded some code (a simple JavaScript) into a website that a smartphone owner might visit. By tapping into and reading the phone’s position, movement and angle, they could successfully guess the users’ PIN on the first try (the success rate was 75 per cent; by the third attempt, cracking the code was successful 94 per cent of the time)!
Researchers also noted that the coded attack site could also get additional information from the phone.
That’s with just two of the sensors; another report says every activity tracking sensor has a security weakness: vulnerabilities like revealing location data (through unsecured Bluetooth channels) or leaking password information (no encryption on Wi-Fi transmissions).
In fact, it’s only now becoming clear to manufacturers and developers the full scope of the risks associated with mobile device sensors, and the importance of protecting the data they generate.
Urs Hengartner, an associate professor in computer science at the University of Waterloo, conducts research into the many security and privacy issues he has identified with various mobile device sensors and embedded technologies. Accelerometers and gyroscopes can easily reveal location information, but even the touch screen we use to input passwords and other user identification data are vulnerable.
Of course, even more sensitive and specific sensors are coming: fitness apps and host devices can measure blood pressure, heart rate, body temperature and more. New devices will evaluate your sweat with electric signals that measure and detect things like glucose, lactate, sodium and potassium levels, and the capabilities are but a short step away from tracking a user’s emotional as well as physical health.
There’s even a fitness tracker that has a breath sensor, capable of detecting acetone, a by-product of human metabolism. Bad breath may or may not be a secret, but you can see – or sense – where the trend is headed: according to some estimates, as many as 245 million activity and fitness trackers will be sold in 2019.
Watches and wristbands are projected to make up most of the sales in an overall wearable market expected to be worth $14.5 billion by 2021. That’s but a fraction of the total connected device, or Internet of Things, marketplace.
But all manner of IoT devices have been used in recent cybersecurity incidents that compromise the privacy of their owners and the security of the Internet overall. Reports about how hackers can take down popular websites like Netflix and PayPal with an attack launched from hijacked baby monitors, or how toy teddy bears (soft, cuddly and connected) were leaking personal and private communications are just about as common as the rate of new product releases.
While gadget manufacturers surely have a duty to design privacy, safety and security tools into their products, so too, consumers have a duty to protect themselves and each other by being educated about their device and using safety tools that are available.
So privacy advocates are welcoming the (perhaps a little late in coming) news that a leading consumer protection agency is now working to develop security and privacy standards for Internet-connected devices.
The U.S. non-profit Consumer Reports organization is working with Disconnect, a maker of privacy-protection software, Ranking Digital Rights, which ranks companies on their privacy practices, the Cyber Independent Testing Lab, which researches and tests software safety, and Aspiration, which connects software and technology skills with other non-profits.
They are all working to “create a digital privacy and security standard to help guide the future design of consumer software, digital platforms and services, and Internet-connected products.”
One goal is to ensure that, as much as a connected device offers desirable features, it should also function without being connected, and operate much in the same way whether it is collecting data or not.
Whether it’s used in the bedroom or not.
-30-
