Technology has made our life easy and active, whether you go for Smartphone, laptops, quantified self or self-tracking devices, everyone is fitted out with various technologies. Self-quantified devices are in great demand now days which can record every facet of life including emotions, thoughts, health, individual input (food, surrounding), etc. Such self tracking device bears a security and privacy concern.
According to ABI research report, the shipment of wearable devices will reach 485 million units by 2018. In USA, people inclined to wearable gadgets especially for health monitoring. According to a study by the Pew Research Center, 60% of American citizens regularly track their exercise activity. Below chart is showing multitude subjects that a self-tracker observes.
|Examples of types of information that can be tracked using self-tracking apps|
People who suffer from continual medical condition, sportsperson, security geeks use self-tracking device. A tracking device or app in Smartphone works on sensors and takes readings of status from several sensors, digitizes, and keeps them for future usage. In absence of sensors, users can evaluate and input data of current state into the app. All stored data seems not so sensitive for example, water consumption or mood tracking data.
Types of Quantified Self:
Different Quantified Self can track individual’s motions every day. Generally, quantified self can be divided into two types: Smartphone and wearable device.
Smartphones (with Apps):
Smartphone carries many in-built sensors while many of them have self-tracking apps. These sensors include an accelerometer, GPS sensor, Microphone, magnetic field, heart rate sensor, thermometer, and navigation systems. Smartphone is generally used for telephony talk, but along with sensors and self-tracking app turn Smartphone into quantified self.
Wearable device are lightweight and available in form of wristband or watch. Such devices can be used for sports stuffs, carry gyroscopic, and accelerometers to generate data of an individual activity. To identify an individual’s current activity, wearable device can read the streaming data with the help of sensors, send this data for analysis & review; at last it would be served in a clear format.
Risks associated with Self-Tracking Device:
Self-tracking device could plunge due to many security risks because of current data and personal information. There are mainly two types of risk in self-tracking device for example, transmission risk, and cloud storage risk. Many self tracking apps have their cloud server based component where aggregated data is stored but the main concern is the large portion of such cloud server do not have encrypted channel for data transition. Therefore, attackers can take a chance of this security leakage and expose user data. Thus, users privacy is about to die or already dead. Besides this, there are few risks associated with self-tracking devices which are as follows.
Quantified self collects individual data in a broad way that can be used by attackers for identity theft. Such data includes daily activities, and a wide range of other personal information such as birth date, relationship status, home or office addresses and photos. Attackers sell such data on a high price in black market or even they can misuse such data by making fake official documents in the name of a real person. With fake documents, attackers can make false bank accounts, ransom efforts, or IRS fraud.
Profiling is a record of data on the base of individual’s behavior. Quantified self collects huge amount of data. For the purpose of advertising, marketers may use these records, and they may sell this data to organizations or government for special or law enforcement purpose. Even certain attacker groups can misuse such data and put users at risk. Companies also can target their audience with the help of profiling and offer the best product on the base of an individual’s behavior, i.e. insurance, car, health etc.
Stalking is an unwanted tracking of user’s location on the base of collected real time data. Quantified self can provide real time location that might put users at risk if an attacker approaches his/her device. This information could also be helpful for stalkers, private detectives, and governments to find their targets. However, such activity can create fear and intimidation in victim.
Corporate runs employees’ wellness programs and monitors employee’s activity, which keeps them immense under pressure. Insider threats targets such information and may put innocent employees in danger. Attacker can sell this information to various agencies for a huge amount. Even many service providers run weak session management that can be exploited by attackers to hijack sessions and as a result, it can lead to data leak, data sabotage, and other harms.
Recommendation for users and developers:
Security of a quantified self requires attention of users, service providers, and developers. Especially users have to take care of their personal information.
Normal users can take below steps to avoid unwanted access:
- Keep your screen lock in idle time. Your password should always be lengthy to prevent unauthorized access of your device.
- Frequently change your password which will help to keep your device secure.
- Keep your Bluetooth off when it is not in use.
- Avoid subscribing needless or too much information being asked by many sites and services.
- Be alert on social sharing features and avoid sharing your location details.
- Do not avoid OS or app update or patches whenever it’s available.
- Go for a device based security solution and apply full device encryption.
For app developers and service providers:
- For developers it is sensible to focus on app security from the beginning.
- Use of secure protocol like SSL is necessary for data transition.
- Make sure that the device is not openly accessible or indirectly traceable.
- Do not collect unnecessary data for service.
- Keep a habit of strong password especially for user accounts.
- Keep practicing with secure session management.
- Follow best password practices like stored salted hashes instead of the real password.
- Build a Pen test system infrastructure for security purpose.
- Check back-end systems for any potential intrusion.
- Run security testing in product development process.
- Make sure that your staff is well versed with dealing of sensitive information.
- Data controller should be familiarizing of relevant data protection laws.
Hope this piece of information will help you all to protect your quantified self from security risk. Even after reading this article if any question rise in your mind, do not hesitate to comment below.
Image courtesy: Symantec.com