By Marc Bown
In this session, we discussed wearable security, taking into account considerations and constraints unique to wearables and IoT devices.
In this session, we used Fitbit’s architecture and experience to frame a discussion around wearable security challenges and best practices. We explored threats that wearable devices face and considered how the unique constraints of wearable devices affect the ability to address those threats.
The discussion quickly centered around two basic security controls that IoT devices such as wearable fitness trackers require: encryption and updatability.
Encryption is conceptually simple, but its implementation can be very difficult, especially on devices with limited computational power and low capacity batteries. We discussed the challenges of managing keys in low-cost devices that are manufactured at scale, as well as the differences between symmetric and asymmetric cryptography, including their performance and key management characteristics.
Updatability is both important and potentially risky. We talked about how to ensure update channels are not abused to load malicious software onto devices, as well as the importance of having a streamlined QA process that facilitates timely updates, without the risk of bricking large numbers of devices in the field.
An additional line of conversation is worth mentioning: One participant pointed out that the wearable itself is often of less interest than the data being collected. This led the group to discuss the various approaches for permissioning APIs for third party use and for communicating to users how access to their data is managed.
The overall theme of our discussions was that wearable security is actually rather similar to many other areas of security. The key is to understand the unique threats that must be protected against, to design controls for those threats, and to test their effectiveness. The difference is just that in some cases, those controls need to work in different ways to accommodate the constraints of the devices themselves (e.g., low power or low bandwidth).
I really enjoyed facilitating this conversation and was grateful for the insight shared by the participants. I’m hopeful that everyone who attended can now apply and share the knowledge we gained as we all work to improve and advance the security of wearable devices.