Last Monday, Summerhall played host to this year’s edition of the BCS Sydney Michaelson Memorial Lecture as part of the 2017 Edinburgh Science Festival. The discussion, titled ‘Wearables That Snitch on Us’, concerned the security risks associated with wearable technology, a particularly current theme due to the explosion in popularity of such devices combined with several high profile hacks. It is predicted that over 250 million activity tracking bands, smart watches, and personal health monitors will be in use by 2020, driven by the cost of these devices dropping as competition between manufacturers becomes more intense.
The lecture began with a heartfelt review of the life of Sydney Michaelson by the Chair of the session, Prof. William Buchanan, Professor of Computing at Edinburgh Napier University. He spoke of a man who did so much to advance the field of computer science, from a laboratory tool used for calculation by other sciences to a rigorous academic discipline in its own right. Fitting then that Michaelson held the first Professorship in Computing at the University of Edinburgh. After a short catalogue of these achievements, Prof. Buchanan finished his introduction by telling of how Michaelson was a strong advocate of civil rights and liberties, stating that he would be ‘quite frankly, disgusted’ with how the technology he did so much to advance could now be used for nefariously invading the privacy of individuals.
Next up to speak was Dr. Paul Patras, Lecturer and Chancellor’s Fellow in the School of Informatics at the University of Edinburgh. He first glossed over the different types of wearable technology on the market and mentioned a few examples currently in development. The benefits of integrating these types of sensors into health and social services were then explained, with particular reference to the potential improvements in the efficiency of an already well oversubscribed National Health Service in the U.K. It is not difficult to imagine the appeal to the NHS of tapping into the masses of data potentially made available by these devices in the current climate of political pressure to perform better.
Unfortunately, the benefits of accessing data from wearable technology appeal not only to well-intentioned healthcare professionals. Every device that connects via bluetooth transmits a uniquely identifying hardware serial, which can then be found by other devices. It is then conceivable to track the movements of a user and who they interact with by tracing this serial. Dr. Patras then announced he was to demonstrate this very technique, cueing several audience members frantically scrambling to turn off their mobile phones. Within thirty seconds he managed to find a whole array of mobile phones and wearable electronics along with their identifying serials.
The main contributing factors to the risks surrounding wearable technology were surmised into three categories. Firstly, the constrained device capabilities associated with a small processor and a reduced amount of memory means that the device cannot execute the complex cryptographic algorithms required to secure data at point of transmission. Secondly, the top priority of the device manufacturers is to be the main development driver and, as such, releasing the product before competitors often comes at the expense of rigorous cyber-safety testing. Finally, there is a chronic shortage of skilled developers with an understanding of wireless data sharing, leading to avoidable weaknesses finding their way into the devices.
After the talk, Dr Patras and Prof. Buchanan fielded questions from the audience, raising important points about user apathy to security and where the responsibility of ensuring high standards of cyber-security should lie. The overriding impression was that despite the efforts of teams such as Dr. Patras’, the pace of technological change is occurring too quickly and not enough effort is being made by manufacturers to ensure these kinds of security breaches are not possible. This, in conjunction with apathy and a lack of understanding of cyber-security from the general public means that there remains a latent risk associated with the use of the devices.
This report was written by James Hitchen and edited by Teodora Aldea.