Comparison and Solution
- DATA COLLECTION METHOD AND TESTING PROCESS
- Data Collection
- Security Test Process
- Data Securing within Mobile Health Devices
- Fitness Trackers’ Secure Data Communication Model
- Suggestions to Add Security to Fitness Trackers
- Future Challenges of Wearable Devices
- Insecure Network
- Lightweight Protocols for Devices
- Data Sharing
Analysing the strengths of the selected devices, connection capabilities and data storage structure, such devices have more security and privacy concerns. There is a high chance that user data can be compromised or gained by man-in-the-middle attacks, although there are a lot of improvements that have been made by the device manufacturers. The security vulnerabilities and potential security attacks on the mobile health devices are summarized in Table 6.1.
Table 6.1 shows that the selected mobile health devices are not free from common security vulnerabilities, and the devices that have been chosen for analysis have a lack of authentication. Without implementing proper security authentication, the devices can be accessed by unauthorized activities such as eavesdropping, DoS and brute-force attacks. We find that Jawbone devices can reveal the exact locations that users recently visited. Thus, DoS attacks can be deciphered, and third parties can easily gain access to the device. Similarly, Google Glasses have major privacy issues since Glasses are capable of taking pictures and recording without people’s knowledge. Therefore, eavesdropping and spyware attacks can take place.
DATA COLLECTION METHOD AND TESTING PROCESS
Data collection is a major issue in the healthcare system because it makes it easier to collect patient’s information and directly send it to healthcare professionals which allows personalized treatment and improves communication between patients and
Comparison of Security Vulnerability and Attacks for Fitbit, Jawbone, Google Glass and Samsung Galaxy Watch
Mobile Health Devices
Week authentication Bluetooth Low Energy Technology (BTLE)
Privacy: Tracks visited locations
Data injection, DOS and battery drain hacks
Lacking privacy features Exact location tracked
Denial of service
Privacy: Capable of unauthorized picture and video recording Suspicious eye movement Unsecure network and hostile environment
For Wi-Fi setup, requires QR code
Wi-Fi hijacking Eavesdropping and spyware Easy recording system by nearby people due to gesture-based authentication scheme
QR photo-bombing malware
Samsung Galaxy Watch
Weak authentication process 
Brute-force attack 
doctors in figuring out health conditions (The Importance of Data Collection in Healthcare and Its Benefits, 2020 ). In this era of advanced technology, the use of mobile health devices in the health sector is increasing. For collecting data through mobile health devices, we can use mobile applications which run on mobile health devices. These mobile applications can build up a connection between patients and doctors and can access information from databases.
Security Test Process
After collecting data, we can test security by the following process.
At first we have to detect the existence of mobile health devices by observing the communication channels of the device, which will also allow us to know the type of the device, software, operating system, etc. Through this we can find whether the device is safe or risky.
Then we have to monitor the device’s activity to know about all running processes, memory, etc. After this we have to check whether this running process can be performed without admin privileges or not which will let us know that whether the data are secure or not. Then we have to check if an application of the mobile health device can collect and store sensor data on the device. If it can’t then the device is safe; if it can access only normal data then it’s not a major issue, but if it can access sensitive data like GPS location then the device is at major risk. After this we can try to manipulate data between the sender and receiver to inject errors or noise into the data. If the device ignores this kind of data, then it’s safe, but if it crashes or acts differently, then the device is not safe. At last we have to list all the vulnerabilities so that after improving the device’s security we can check again.
Data Securing within Mobile Health Devices
Data security is a major concern of mobile health devices. Fitness trackers are widely adopted and are easy to use. There are many concerns about the lack of data security in fitness devices and it often escalates to the highly vulnerable risks for users. The following is a summary of the reasons for the lack of data security and privacy in mobile health devices:
Lack of testing: Fitness devices are constantly updating their features due to market competition so there would be possible rushes to release products or new features to the marketplace. As a result, there may be a lack of proper testing and strong security coding oversight [5, 34, 35].
Size of the device: Most of the fitness devices are very tiny and there is very limited space to create security features by adding extra hardware as manufacturers would worry about the device weight and user experience.
Cost down: Due to fierce competition in this market, the fitness devices generally cannot be priced too high, which would be a possible cause for not having sufficient memory space and lack-of-quality coding leading to the failure of the strengthening of device security.
Fitness Trackers’ Secure Data Communication Model
A built-in security mechanism is one of the most important features for the user authentication process because it generates a secure PIN system. A secure PIN system prevents unauthorized access in a device or system because it tends to store data without encryption. Cyber-attacks often take place due to poor security management that causes the devices to be extremely vulnerable. The hacker could control every single aspect of the device through the initial injection called a firmware attack, which allows attackers’ access to local data storage. After a successful firmware attack, the devices are open for modification, encrypted key or Bluetooth functionality. As a result, attackers could send or inject random values into memory as a step count to the server as valid encrypted frames [5, 35-37].
Suggestions to Add Security to Fitness Trackers
The following initiatives and practices help cover the minimal security and privacy of fitness trackers:
Firmware needs to be regularly updated or developed for all fitness devices. Gadget LE privacy and changes of MAC address should be required at random periodical times, such as every ten minutes.
While a mobile health device is pairing with a mobile phone, the mobile health device firmware should include a fixed and private Identity Resolving Key (IRK).
In general, mobile health device firmware MAC addresses are permanent, which causes theft of localhost addresses. But if the mobile health device firmware randomly generates new MAC addresses every ten minutes on IRK, hackers would not be able to identify the host address number [17,25].
HTTPS can be used to minimize the risk of data vulnerability; its main purpose is to maintain data authentication . HTTPS would encrypt data and secure transmitted data. Currently the most common architecture of web services is REST, based on HTTP (The Importance of Data Collection in Healthcare and Its Benefits, 2020 ). But the most protection standard method for this model of communication is Transport Layer Security (TLS) or Secure Socket Layer (SSL). HTTPS ensures a safe, encrypted communication channel between the client app and backend server. The implementation of an HTTPS security feature is very simple but has some common pitfalls from the user’s perspective. The problem of HTTPS security is mainly an improper implementation that reduces to replacing the protocol name in the URL from http to https. Although HTTP implementation will enable TLS/SSL encryption, it will not ensure a good enough security level. It is very important to implement the HTTPS configuration correctly because HTTPS implementation enables TLS/SSL encryption. The TLS standard is based on X509 certificates and asymmetric encryption (The Importance of Data Collection in Healthcare and Its Benefits, 2020 ). X509 certificates in which a public key requires the unique identification that the associated private key is owned by the correct person with which a digital signature or an encryption mechanism is used. In this process, mobile apps verify encryption certificates by just replacing the protocol name, meaning that the attacker can generate their own fake certificates. The certificate allows man-in-the-middle attacks to intercept communications between the user and the cloud server, so HTTPS configuration is vital to avoid such an attack for data transmission.
Cryptography is another form of data encryption that encodes the message or data so that hackers cannot read it but it can be authorized. In cryptography, the Advanced Encryption Standard (AES) algorithm is used. In this process the message block size 128 bits of text is fixed (plain or cipher) where the same key is used on both the encrypt and decrypt sides and the key length is 128, 192 or 256 bits. When a user sends a longer message, the message is divided into 128-bit blocks. One of the advantages of longer keys is that the longer keys make the cipher more difficult to break as well as enforcing longer encryption and decryption.
Using the Public Key Encryption (PKI) method, we can achieve proper authentication of the device to secure data transmission. The device will encrypt data using a public key, and the monitoring application will use the private key to decrypt the data. In case someone manages to get the public key, it’s still not possible to retrieve the private key.
Security pinning is another method to ensure secure data transmission where the connection between the device and server will be aborted if any unauthorized identity is present. In this method, the developer implements Certificate Pinning on the server to verify on the client side [33, 38-40]. This verification requires the server certificate and fingerprint to identify the mobile app to establish the connection with the mobile app so the app compares the user fingerprint with a certificate from the remote server. The authentication sends the connection to the server if the user fingerprint is identical. Hence the server connection is rejected immediately if the user fingerprint is not identical, as this means the communication or data will be compromised.
Future Challenges of Wearable Devices
Healthcare system IoT security and privacy systems impact in various ways to enhance data security and privacy. To get a better data security and privacy environment, several challenges require special attention from healthcare device developers.
An insecure network is one of the biggest challenges for secure data transfer in wearable health devices because of the convenience and low cost. For data transmission, device and software services rely heavily on wireless networks, such as Wi-Fi, which are the main cause of vulnerabilities to various intrusions including man-in-middle attacks, denial of service attacks, traffic injection, spoofing, unauthorized router access and brute-force attacks. In addition, hotspot wireless service is mostly on free wireless networks in public places and user unconsciously connect to networks which have not been certified and are untrusted.
Lightweight Protocols for Devices
In many cases, a wearable device is a low-cost structure which means poor software patches and lightweight protocols are used for built-in security. There is a conflict in health device data security methods because of low-cost software applications based on sensors. At present, if we want to provide high-grade security for the sensor, the device developer must apply high-cost solutions and should follow specific policy and proxy rules to prove secure data transmission service. So developing the different levels of security protocols according to the application scenarios, especially communication network security protocols and authenticated security, is the main task of security protection for wearable health devices in the future.
The wearable health device involves sensitive data sharing and data gathering from the healthcare system to monitor the user’s activities in many ways, varying widely, which makes it difficult to unify secure data management. So information collaboration and sharing among the diverse data communicating systems of healthcare devices constitute an inevitable unsecure data breach trend of the future. The privatization of user information could be very affected by the security and privacy vulnerabilities of wearable healthcare devices. Employing general data policies to combine different data could provide more comprehensible information and enhance user security and privacy while establishing a hierarchical security model.
The health device faces many challenges such as the massiveness of medical data and sensitivity of patient information. User data on mobile health devices could be compromised through Bluetooth connections to mobile applications that push and pull data from the cloud server. Communication between the server and app is found to be secure, but the MAC address could cause a significant data leak from devices. While all the above-described devices provide a reasonable level of privacy and data security overall, the tangible and secure data REST methods on the server for those health devices would provide more user data security and privacy.
- 1. Mobile Health Device Technology Market Research Report (2018). Retrieved from https://www.transparencymarketresearch.com/article/mobile health device-technology -market.htm.
- 2. Singlesteve. (2019). Your titbit is definitely broadcasting your location. Retrieved from http://www.bu.edu/articles/2019/fitbit-bluetooth-vulnerability.
- 3. Federal Trade Commission Staff Report on the November 2013 Workshop Entitled the Internet of Things: Privacy and Security in a Connected World. (2019, March 11). Retrieved from https://www.ftc.gov/reports/federal-trade-commission-staff-report -november-2013-workshop-entitled-internet-things.
- 4. Al-Muhtadi, J., Mickunas, D., & Campbell, R. (2001). Mobile health device security services. In Proceedings 21st International Conference on Distributed Computing Systems Workshops (pp. 266-271). doi: 10.1109/cdcs.2001.918716.
- 5. Makarevich, A. (2019, April 23). Vulnerabilities of fitness trackers & how to overcome them. Retrieved from https://r-stylelab.com/company/blog/iot/vulnerability-of-fitness- trackers-risks-they-are-facing-and-tips-to-minimize-them.
- 6. Internet of Things Security Study: Smartwatches. (2020). Retrieved from https://www .ftc.gov/system/files/documents/public_comments/2015/10/00050-98093.pdf.
- 7. Ching, K. W„ & Singh, M. M. (2016). Mobile health device technology devices security and privacy vulnerability analysis. International Journal of Network Security & Its Applications, 8(3), 19-30. doi: 10.5121/ijnsa.2016.830.
- 8. Storm, D., & Storm, D. (2015). Researcher says Fitbit can be wirelessly hacked to infect PCs, Fitbit says not true. Retrieved from https://www.computerworld.com/article/2997561 /researcher-says-fitbit-can-be-wirelessly-hacked-to-infect-pcs-fitbit-says-not-true.html.
- 9. Konstantinou, C„ & Maniatakos, M. (2015). Impact of firmware modification attacks on power systems field devices. In IEEE International Conference on Smart Grid Communications (SmartGridComm). doi: 10.1109/smartgridcomm.2015.7436314.
- 10. Cyr, B., Horn, W., Miao, D., & Specter, M. A. (2014). Security analysis of wearable fitness devices (fitbit). Massachusetts Institute of Technology, 1.
- 11. Hale, M. L., Lotfy, K., Gamble, R. F., Walter, C., & Lin, J. (2018). Developing a platform to evaluate and assess the security of mobile health device devices. Digital Communications and Networks, 5(3), 147-159. doi: 10.1016/j.dcan.2018.10.009.
- 12. Fitbit Help. (2020). Retrieved from https://help.fitbit.eom/customer/portal/artides/9 87748-how-do-fitbit-trackers-sync-with-android-de.
- 13. Safavi, Seyedmostafa, & Shukur, Zarina. (2014). Improving google glass security and privacy by changing the physical and software structure. Life Sciences, 11, 109-117.
- 14. Special Eurobarometer 431: Data protection—ecodp. common, ckan. site title. (2020). Retrieved from https://data.europa.eu/euodp/el/data/dataset/S2075_83_l_431_ENG.
- 15. Wu, M., Luo, J., & Online Journal of Nursing Informatics Contributors. (2020, January 30). Mobile health device technology applications in healthcare: A literature review. Retrieved from https://www.himss.org/resources/mobile health device-technology-ap plications-healthcare-literature-review.
- 16. Andrew Hilts et al. Every step you fake, https://openeffect.ca/reports/ Every_Step_You _Fake.pdf.Accessed: 02.07.2020 (not understanding).
- 17. Hilts, A. (2016, April 5). Every step you fake: Final report released. Retrieved from https://openeffect.ca/every-step-you-fake-final-report-released/.
- 18. Martin, J. A. (2017). 10 things you need to know about the security risks of mobile health devices. Retrieved from https://www.cio.com/article/3185946/10-things-you- need-to-know-about-the-security-risks-of-mobile health devices.html.
- 19. Tara Seals US/North America News. (2017, September 18). Fitbit vulnerabilities expose wearer data. Retrieved from https://www.infosecurity-magazine.com/news/fitbit-vulne rabilities-expose/.
- 20. Pinola. M. (2020, February 2). What Bluetooth Is and How It Works. Retrieved from https://www.lifewire.com/what-is-bluetooth-2377412.
- 21. Ansley, C. (2019). 2019 Fall Technical Forum. MAC Randomization in Mobile Devices,
- 22. Jawbone. (2020). Retrieved from https://mobile health devicezone.com/: https://mobile health devicezone.com/companies/jawbone.
- 23. Rise and fall of the Jawbone UP24: The tracker that changed mobile health device tech. (2019, June 14). Retrieved from https://www.wareable.com/fitness-trackers/remember ing-the-jawbone-up24-7320.
- 24. Woolley Martin, M. (2019, August 26). Bluetooth Technology Protecting Your Privacy. Retrieved from https://www.bluetooth.com/blog/bluetooth-technology-protecting-your -privacy/.
- 25. Hilts, A. (2016, February 2). Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security. Retrieved from https://openeffect.ca/fitness-tracker-pr ivacy-and-security/.
- 26. Advantages & Disadvantages of Google Glasses. (2019, June 4). Retrieved from https:/ /blog.hostonnet.com/advantages-disadvantages-of-google-glasses.
- 27. Widmer, A., Schaer, R., Markonis, D., & Muller, H. (2014). Facilitating medical information search using Google Glass connected to a content-based medical image retrieval system. In Proceedings of the 36th Annual International Conference of the IEEE Engineering in Medicine and Biology Society, doi: 10.1109/embc.2014.6944625.
- 28. Schaer, Muller, & Widmer . (2016). Using smart glasses in medical emergency situations, a qualitative pilot study, 2016 IEEE Wireless Health (WH). Bethesda, MD, 2016, pp. 1-5. doi: 10.1109/WH.2016.7764556.
- 29. Privacy Implications of Google Glass. (2013, June 13). Retrieved from https://resources .infosecinstitute.com/privacy-implications-of-google-glass/.
- 30. Pairing Glass to your Bluetooth phone. (2020). Retrieved from https://support.google ,com/glass/answer/3064189?hl=en&ref_topic=3056776.
- 31. Swider. M. (2017, February 21). Google glass review. Retrieved from https://www.tec hradar.com/reviews/gadgets/google-glass-1152283/review/7.
- 32. How to connect Samsung Galaxy Watch to Mobile Device or Bluetooth Headset? Samsung Support Singapore. (2019, October 17). Retrieved from https://www.samsung. com/sg/support/mobile-devices/how-to-connect-samsung-galaxy-watch-to-mobile -device-or-bluetooth-headset/.
- 33. The Importance of Data Collection in Healthcare and Its Benefits. (2020, April 9). Retrieved from https://www.sam-solutions.com/blog/the-importance-of-data-collect ion-in-healthcare/39.
- 34. Emm, D.. Nikishin. A.. & Gostev, A. (2015). Kaspersky Security Bulletin 2015. Top security stories. Retrieved from https://securelist.com/kaspersky-security-bulletin -2015-top-security-stories/72886/.
- 35. Vulnerability-of-fitness-trackers-risks-they-are-facing-and-tips-to-minimize-them (September 24, 2018). Retrieved from: https://r-stylelab.com/company/blog/iot/vulne rability-of-fitness-trackers-risks-they-are-facing-and-tips-to-minimize-them.
- 36. Improving google glass security and privacy by changing, (n.d.). Retrieved from https:// www.researchgate.net/publication/265867348_Improving_Google_glass_security_an d_privacy_by_changing_the_physical_and_software_structure.
- 37. Endpoint Protection, (n.d.). Retrieved from https://www.symantec.com/connect/blogs/ google-glass-still-vulnerable-wifi-hijacking-despite-qr-photobombing-patch.
- 38. HP, Study Reveals Smartwatches Vulnerable to Attack. (2020). Retrieved from https:// www8.hp.com/us/en/hp-news/press-release.html?id=2037386#.Vil8G7crLIU.
- 39. Arsene, L. (2015, January 30). Bitdefender Research Exposes Security Risks of Android Mobile health device Devices. Retrieved from http://www.darkreading.com /partnerperspectives/bitdefender/bitdefender-research-exposes-security-risks-of-andr oid-mobile health device-devices/a/d-id/1318005.
- 40. Markiewicz, M. (2018, May 29). 3 Ways How to Implement Certificate Pinning on Android. Retrieved from N netguru: https://www.netguru.com/codestories/3-ways-ho w-to-implement-certificate-pinning-on-android.
hup:.‘VLuy I urundfr-ei гю s.curn