This document discusses security challenges for wearable devices and the importance of data privacy. It notes that lack of security is a major threat to wearable projects and companies, as data breaches can damage brands and share prices. The document outlines the "attack surface" of potential vulnerabilities across wearables, smartphones, wireless networks and cloud infrastructure. It advises following the US Federal Trade Commission's guidelines on reasonable security practices to develop trust with customers and avoid regulatory penalties for data misuse. The key message is that wearable makers must prioritize security and privacy by design to avoid being exploited by "criminal tech" seeking personal data.

1. Stephen Cobb, CISSP
Sr. Security Researcher

2. What’s the biggest threat to the
success of your wearable project?
A. Lack of funding
B. Competition
C. Skills shortage
D. Technical challenges
E. Bad press and brand damage due to a
data breach that could have been
prevented with better security and
stricter adherence to privacy policies

3. This is not success
Shares in Hong Kong toy maker VTech
Halted after customer data stolen

4. Worrying IoT survey results
52% believe most IoT devices on the
market right now DO NOT have the
necessary security in place
49% don’t trust having personal / private
data tied to IoT devices, but still use them
Only 18% of people trust having their
personal data tied to IoT devices
90% of developers think current IoT
devices lack necessary security
Auth0, November 2015

5. A Tale of Two Industries
Wearable Tech
Tech to help people
Gather and analyze data
Improve health, lifestyle
Inform decision-making
Enhance experience
Criminal Tech
Tech to help themselves
Steal data, sell stolen data
Ransom data
Rent/sell tools to steal data
Enhance earnings

6. Data crime is an industry
Fueled by information about people
Wearables = information about people
Targets endpoints and servers
Wearables = endpoints
Wearables will be targeted
By data thieves
Wearables will be scrutinized
By the Federal Trade Commission

7. Attack surface challenges for Wearables
SMARTPHONE:
WI-FI, BLUETOOTH
4G, SMS, USB, NFC
OPERATING SYSTEM
OS PROVIDER
APP FRAMEWORKS
APP SOFTWARE
APP PROVIDER
APP ANALYTICS
UTILITY API
CRM/MARKETING
LOCATION SERVICE
EMAIL, WEB BROWSER
PHYSICAL ACCESS
COMMS SERVICES:
WIRELESS AND CABLE
NOC FACILITIES
HVAC
EAVESDROPPING
RETENTION POLICIES
TRAFFIC MONITORING
DIAGNOSTICS
SERVICE UPDATES
PROTOCOLS
PHYSICAL SECURITY
WEARABLE DEVICE:
BLUETOOTH
USB
OPERATING SYSTEM
OS PROVIDER
APP FRAMEWORKS
APP SOFTWARE
APP PROVIDER
APP ANALYTICS
UTILITY API
CRM/MARKETING
LOCATION SERVICE
PHYSICAL ACCESS
WIRELESS AP/ROUTER:
FIRMWARE
OPERATING SYSTEM
WI-FI CONNECTIONS
WIRED CONNECTIONS
WEB INTERFACE
SUPPORT SERVICES
USB, WPS
PHYSICAL ACCESS
THE CLOUD:
OPERATING SYSTEMS
HYPERVISOR
DATABASE MANAGERS
SHARDING
ENCRYPTION
REPLICATION SERVICES
SHARED HOSTS
MULTIPLE LOCATIONS
DATA CENTER
SECURITY
TRANSNATIONAL
FLOWS
SHARED FACILITIES
MAINTENANCE
THIRD PARTIES
WWW
COMPANY WEBSITE:
CUSTOMER DATA
UPGRADES
ADD-ONS

8. What’s the FTC got to do with it?
Consumer protection agency
Polices data privacy and security in the U.S.
50 law enforcement actions and counting
Monitors emerging technology
Suggests appropriate behavior
Looks for inappropriate outcomes
Takes cases to set precedents
Imposes onerous settlements

9. FTC model for success

10. FTC 10 security commandments
1. Start with security
2. Control access to data sensibly
3. Require secure passwords and authentication
4. Store sensitive personal information securely and protect it
during transmission
5. Segment your network, monitor who’s trying to get in/out
6. Secure remote access to your network
7. Apply security practices when developing new products
8. Make sure your service providers implement reasonable
security measures
9. Put procedures in place to keep your security current and
address vulnerabilities that may arise
10.Secure paper, physical media, and devices

11. FTC 7/13 IoT tips
1. Start with the fundamentals.
2. Take advantage of what experts have already
learned about security.
3. Design product with authentication in mind.
4. Protect the interfaces between your product
and other devices or services.
5. Consider how to limit permissions.
6. Take advantage of available security tools.
7. Test security measures before launching
product.

12. FTC 8-13 IoT tips
8. Select the secure choice as your default setting.
9. Use your initial communications with
customers to educate them about the safest
use of your product.
10. Establish an effective approach for updating
your security procedures.
11. Keep your ear to the ground.
12. Innovate how you communicate.
13. Let prospective customers know what you’re
doing to secure consumer information.

13. Security is not about compliance
Forget HIPAA, PCI, COPPA: any wearable
system handling personally identifiable
information will be targeted
Whether it’s PHI, ePHI, or PII
Whether or not HIPAA applies
Bottom line: breaches are always bad news,
and so a transparent, documented, good faith
effort to protect user data is your best
approach and your best defense

14. Thank you!
www.WeLiveSecurity.com
Stephen.Cobb@ESET.com
www.slideshare.net/zcobb
@zcobb
Stephen Cobb, CISSP
Sr. Security Researcher