IoT: Who Is Counting Your Steps?

Carlos Pastor


Should your fitness-tracking IoT device be secured? I mean, who really cares how many steps you took today or how many calories that banana smoothie really had…right?

In a world where all devices are connected and share different levels of information between them, we need to assume that every connection can be used as a back door, even if the information on the targeted device is seemingly useless. It’s very difficult to predict what obscure data a hacker might find useful or what new pathway they may discover through unprotected devices.

For service providers that are managing a complex and diverse IoT environment, assuming an application or device is not critical and does not need to be secured can prove to be a huge mistake.

Sometimes the criticality of the solution clearly justifies the need for high security. A medical device (i.e., an insulin pump connected to the cloud application that monitors blood sugar) – based on the statistical reading of the device – will determine the quantity of insulin to administer. That is high in criticality and risk because if it fails, that puts someone’s life in danger. Hence, logic would determine this solution/application needs to be secured in every possible way.

But not every case is as obvious as a medical device. IoT developers have in the past misjudged how hackers can leverage “useless” information or connections for their own advantage. For example, when a major automotive brand rolled out an infotainment system for its signature vehicles, the logic behind its determination that it did not need to be secured was: This is a system that will only read information from the car and provide a “health analysis” to the car owner and service agency. This was true until it wasn’t.

The moment hackers learned that uConnect gave backdoor internet connectivity to a car’s operating system, it became only a matter of time for them to develop a tunnel that granted control to the car’s entire driving system. The case saw significant media coverage, as hackers were already gaining control of the car’s steering and breaking systems. Since then, regulations require IoT cars to be internet-connected based on its criticality.

Recently, researchers demonstrated a new attack that could use terrestrial radio signals to hack a wide range of smart TVs, raising an unsettling prospect: the ability of hackers to take complete control of a large number of sets at once without having physical access to any of them.

So, what does any of this have to do with your IoT fitness tracking device?

The interconnectedness of devices in the IoT era creates vulnerabilities that the creators of the individual devices could easily overlook. What happens when you get in to your connected vehicle, and connect your unsecured fitness tracking device to your car using a Bluetooth signal? Are you opening a back door to your car’s operating system? If hackers can access and control your IoT-connected fitness device, then they could certainly gain access to other devices through Bluetooth, WiFi or other device-to-device connections.

Some of these ideas may seem far-fetched, but your device will eventually be connected to other types of services on its ecosystem; the application that monitors the device and connects it to a cloud application might as well be connected to other sensitive information, such as billing (with credit card numbers), addresses, locations or other things users would not share so willingly.

To secure every single device and application in an ecosystem that is not standardized in any way or form, and that may use a plethora of different devices, operating systems and capabilities, a comprehensive, consistent platform – not a one-off solution – is required.This is is possible when service providers offer network-based security, which is of paramount importance in an age of hyper-connectivity.

Learn more by downloading our white paper: Protect IOT Opportunity With Network-Based Security

ignite17-social-cover-img-facebook-820x340

Ignite ’17 Security Conference: Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS