Securing your in-ear fitness coach: Challenges in hardening next generation wearables

Wearable platforms today enable rich, next-generation experiences such as secure payments, specialized sports tracking and precise location monitoring. Data collection is only the first step for these products. The real “user experience” is often the result of a complex mesh of interactions between wearables, smartphones, cloud-hosted array of web applications and analytics software. Designing and validating security for such ecosystems, the kind of which never existed until a few years ago, demands brand-new lines of thinking and security best practices. Wearables live and operate on the human body, collecting a wealth of personal data. This gives rise to new challenges in storing such data securely and conforming to privacy regulations, especially in a world where consumer privacy laws are so diverse.

The Oakley Radar Pace is a head-worn real time, voice activated coaching system that creates and manages training programs for track running or cycling. The “coach” is an NLP-powered voice assistant on the eyewear. User can converse with it hands-free, and get advanced feedback on their performance.

In our presentation, we talk about the security and privacy research that went into designing and developing Radar Pace, including a custom Security Development Lifecycle (SDL) that accounted for the three “branches” of the program: wearable, phone and the cloud. We present examples of vulnerabilities and privacy problems associated with such new classes of products. While the applications and use cases for wearables are limited only by the designers’ imagination, the best practices we have pioneered will be useful and can easily be reapplied by vendors creating new wearables and IoT products. The goal of our presentation is to educate attendees about shedding the old notions of privacy and Security Development Lifecycle when preparing for the products of the future, as well as to discuss interesting security vulnerabilities in such technologies

Presentation Outline

[1] What is Oakley Radar Pace? A short introduction to the Oakley Radar Pace : use cases, end-to-end architecture, communication protocols and technologies used by different components of the ecosystem (wearable, app and the cloud)

[2] Challenging traditional Security Development Lifecycle (SDL) We discuss the shortcomings of the traditional SDL model and introduce a wearable/IoT-centric Security & Privacy Development Lifecycle (SPDL). We discuss how we reuse the good parts of traditional SDL, throw in enhancements to accommodate rapid execution for the next generation programs, and also factor privacy alongside security. Inputs and deliverables for each stage of the custom SDL are discussed in this section of the presentation.

[3] Wearable hardware & firmware security paradigms We talk about wearable-specific hardware and firmware security topics: secure boot, secure over-the-air (OTA) updates, ports and interfaces lock-down (USB/UART/JTAG), etc. We discuss threats associated with each of these topics

[4] Software security paradigms This section covers software security requirements and threats applicable to all three components of the wearable ecosystem: Mobile application, embedded RTOS on the wearable device, and the Cloud. Some of the topics covered in this section are: + Building a secure on-device coaching system that maintains user privacy and protects confidential information + Securely managing the transfer and storage of “conversation data” in the wearable device, mobile and the cloud + Securing communication between the wearable and the mobile app: potential pitfalls with the design of communication protocols, including Classic Bluetooth and BLE + Securing data at rest on the wearable + Secure key management on the wearable and in the cloud backend + Android and iOS security in the context of wearables + Securing common user interfaces: User and Admin portals + Authentication and vetting of third party applications intending to interact with the wearable

[5] Privacy We will introduce the audience to privacy requirements for wearables, the importance of having a privacy plan and a privacy notice. Topics covered in this section are: + Defining biometric, personal data and personally identifiable information in a wearable context + Protecting such data + Privacy requirements for data retention and account deletion + Geo based privacy restrictions for collecting, storing and retaining data + Privacy restrictions based on the consumer age group + User account management

[6] Demo We will use this portion of the presentation to demo some of the real world vulnerabilities that were discovered with the help of our custom SDL

Demo 1: How a rogue application may manage to exploit the pitfalls of BT/ BLE spec adoption in smartphone platforms to snoop on the communication between a wearable and the mobile app, and to inject arbitrary commands into the wearable Demo 2: How the failure to adopt security best practices for Android and iOS may allow a malicious app to gain access to conversation details between the user and the coaching system Demo 2: How an attacker may exploit a vulnerability in the user portal to steal admin credentials and user data, affecting all the wearables in the field (no user interaction required for the exploit to be successful)

[7] Security for white label products In this section, we will discuss how SDL & Privacy are different when a vendor builds and ships a product entirely by themselves, as against working on a white label product that will be branded and shipped by a partner firm. Particularly on the privacy side, this may mean that there is not just one entity acting as the data custodian, the data processor/user and the data owner. When these roles are different, it becomes imperative to define the privacy responsibilities for each of the involved entities.

About the Speakers