People have always used numbers to assess themselves. What started out with analogue weighing scales, calendars and tape measures is now expanding to embrace all the new opportunities for digital self-measurement and tracking that digitalisation has to offer. Wearable devices are one such option available today.
Wearables are tiny computer systems that you wear on your body. The technology is already so far advanced that you can measure your heart rate, blood pressure, blood glucose level, sleep or calorie consumption, for example, then use apps to assess those measurements. Before buying a wearable device, however, consumers should make sure that adequate data security safeguards are in place.

Various types of wearable device are available, with the most widely used being fitness or activity trackers. These are often just simple wristbands that contain a hardware component housing various sensors that measure activity. But many also let you accept incoming calls or read messages. Smart watches are widespread too. These usually combine the features of a fitness tracker with additional functions such as being able to control a smartphone or digital assistant.

There are lots of other kinds of wearable technology besides these: intelligent clothing that can monitor the wearer's vital signs, for example; smart headphones with additional features like a digital assistant or real-time translation of a spoken language; and smart glasses that enhance what the wearer can see by adding digital information to their field of vision. However, these technologies are often not very far advanced, which is why they are seen on the market only rarely or not at all just yet. Expanding the real world viewed through a pair of smart glasses by adding virtual content is known as augmented reality.

Wearables can be incredibly beneficial to their wearers. By analysing the data it collects, an activity tracker can give the wearer tips on how to change their behaviour to improve their fitness level, for example. The feedback is intended to help the wearer meet their particular goals, such as reaching a certain step count every day, sometimes aided by an element of game play. But wearables are not only a great helper when it comes to optimising our behaviour, they can also make our everyday lives easier. A smart watch, for example, brings lots of practical apps together in one place so the wearer always has all the information they need to hand (or wrist!). As well as showing the time, of course, a smart watch could also remind the wearer of any upcoming appointments and display e-mails or other messages.

Risks of using wearables

For wearables to offer the functions they do, they and their corresponding apps have to collect personal data. If unauthorised third parties were to get hold of this data, they could find out various things about the user. The type of data being processed depends on the wearable device's function, but it will often be personal data, data concerning health, location data or data relating to the wearer's sleep patterns. In certain circumstances, this data could be used to build up a good profile of the user in question – without ever having to meet them in person.

Anyone with access to this data could also use it to commit criminal activity such as identity theft. The data could also be useful for doxing, which is the practice of specifically obtaining a person's data in order to publish it online. The goal is often to damage the individual in question; disclosing "controversial" data, for example, could harm someone's reputation. People whose data has been stolen could also be blackmailed with the threat of having their information disclosed.

Vulnerabilities in the application software or the hardware interfaces of the mini smart computer found inside a wearable device are potential gateways into its system and, consequently, to the data stored there. An attacker could exploit these vulnerabilities to gain control of the wearable device. If a hijacked wearable device has extensive rights to control another device to which it is connected, such as a smartphone, the attacker can use these rights to assume control of that other connected device too.

If there is no transport and memory encryption in place, there is also the risk of data being manipulated and spied on during transfer. Wearables send their data via Bluetooth or NFC interfaces, for instance, to a smartphone. This smartphone will have an app installed on it which analyses that data, then prepares and displays it graphically. Cloud services or companion devices belonging to the system are used for temporary storage. Companion devices are smartphones, tablets or PCs, for example, to which wearables connect.

So wearables can often be beneficial, but at the same time, using them can be risky if you have not paid enough attention to security.

Using wearables safely

Before using or buying a wearable device, users should check the following points and, wherever possible, configure their own settings to improve security. Even though there is no such thing as 100% safe, taking these steps can minimise the risk of an attacker successfully accessing the device's mini computer or associated accounts.

Informed use of wearables

Find out how your device works, what data you are generating by using it and where that data is stored. This is an important starting point for you to use your IoT devices (such as wearables) in an informed way.

The questions below will help you to better assess your device and the potential risks of using it:

1. What sensors does the device have, e.g. a camera or microphone?
2. What data is recorded and stored?
3. Can you tell where the data is stored?
4. Is this data sent to or shared with other applications?
5. What are the potential risks of using the device and am I prepared to run those risks?
   

The answers to these questions will also help you to find a balance between convenience or functionality and security. Make an informed decision about whether you want to skip on security so you can benefit from a particular functionality.

Security settings and updates:

• Manufacturers should provide security updates for the long term and commit to quickly close any vulnerabilities that are discovered.
• Data encryption should be enabled.
• Updates for the wearable device should be installed immediately whenever they are made available. If there is an automatic update feature, it should be enabled.

Access rights:

• Wearables will often be connected to another companion device such as a smartphone. This means the wearable device can access the smartphone's data and functions like locations, contacts or phone status. Therefore, you should always check whether the wearable device is authorised to access the data on the companion device and disable these rights where appropriate. Conversely, apps on the companion device should only be permitted to access data on the wearable device where necessary.
• Caution: Every update could potentially alter the authorisation structure. So you should check the rights after each update and readjust them where appropriate.
  

Passwords and PINs:

• If there is an option to protect the wearable device from unauthorised access with a PIN code or password, you should make use of it.
• Select a PIN code or password that is as secure as possible.
• If a companion device is connected, this should also be protected by an appropriately secure password and subjected to the same security safeguards as other mobile devices. The same applies to protecting the WLAN you are using.
• You should always replace preset codes and passwords with your own passwords or PIN codes.
• If there is no option to protect the wearable device with a password or a PIN code, take extra care over how you store it when you are not wearing it.
• Linked user accounts should be protected by an authentication mechanism (usually a user name and password) and, where possible, by two-factor authentication.
• A password manager can make it easier to handle different passwords.

Click here to find out how to create secure passwords and how password managers work.

Connectivity and communication:

• You should only enable the wearable device's interfaces to other devices if they are essential to the device function and are actually being used. You should disable them again where possible when they are no longer being used. This is because the more interfaces are enabled, the more points of attack are available to cyber criminals.
• It should only be possible to connect the wearable device to and communicate with other devices if the companion device can be uniquely identified and authenticated. This can take the form of entering a PIN shown on the wearable device into the companion device, for example. This makes sure that only verified companion devices can connect to the wearable device. There are some wearables with no display at all. If this is the case, you must find out how the manufacturer guarantees its connectivity function is secure and ensures attackers cannot connect to a wearable device of this type.
• All data should always be protected by transport and memory encryption too. Manufacturers should provide information on this in their terms and conditions or privacy policy.
• You should always connect wearables to companion devices for the first time in a trustworthy environment, e.g. at home. This prevents sensitive information that has to be shared during the initial connection process being intercepted, for example, if keys need to be exchanged.

Demand IT security for wearables too

Wearables open up a whole host of new possibilities. They have the potential to become a mini technical companion and perhaps to even replace the wallet. But to make this happen, personal data such as account details of mobile payment services and self-measurement data needs to be stored on them. We can expect wearables to become a more standalone device as developments progress and that it will be possible to use them without a companion device. If they have an always-on, direct connection to the Internet thanks to a built-in mobile radio module, for example, this will allow them to be found and addressed directly from the Internet. This could represent a risk if IT security is not taken into account when the wearable device is being manufactured and corresponding functions are not implemented. Consumers should start demanding this today and find out from manufacturers or providers just how their data is being protected both on the wearable and during transfer. At the end of the day, sensitive and personal data is a sought-after commodity, especially for online criminals who collect it for their own devious ends. So you should treat wearables with an appropriate degree of respect and caution.