Presentation Material
Abstract
Wearable platforms today enable rich, next-generation experiences such as secure payments, specialized sports tracking and precise location monitoring. Data collection is only the first step for these products. The real “user experience” is often the result of a complex mesh of interactions between wearables, smartphones, cloud-hosted array of web applications and analytics software. Designing and validating security for such ecosystems, the kind of which never existed until a few years ago, demands brand-new lines of thinking and security best practices. Wearables live and operate on the human body, collecting a wealth of personal data. This gives rise to new challenges in storing such data securely and conforming to privacy regulations, especially in a world where consumer privacy laws are so diverse.
The Oakley Radar Pace is a head-worn real time, voice-activated coaching system that creates and manages training programs for track running or cycling. The “coach” is an NLP-powered voice assistant on the eyewear. User can converse with it hands-free, and get advanced feedback on their performance.
In our presentation, we talk about the security and privacy research that went into designing and developing Radar Pace, including a custom Security Development Lifecycle (SDL) that accounted for the three “branches” of the program: wearable, phone and the cloud. We present examples of vulnerabilities and privacy problems associated with such new classes of products. While the applications and use cases for wearables are limited only by the designers’ imagination, the best practices we have pioneered will be useful and can easily be reapplied by vendors creating new wearables and IoT products. The goal of our presentation is to educate attendees about shedding the old notions of privacy and Security Development Lifecycle when preparing for the products of the future, as well as to discuss interesting security vulnerabilities in such technologies
AI Generated Summarymay contain errors
Here is a summary of the content:
The discussion revolves around security vulnerabilities in IoT devices, specifically Strava fitness trackers leaking information about military locations. The speaker highlights the importance of quantifying privacy vulnerabilities, similar to how security teams use the Common Vulnerability Scoring System (CVSS) framework to score and prioritize security bugs.
When it comes to IoT devices, traditional security testing lifecycle (STL) processes may not be effective due to rapid time-to-market, evolving requirements, and design changes. The speaker proposes a rethinking of STL for IoT devices, emphasizing the need for agility, attention to specific architecture, and consideration of protocols, third-party code, interoperability, cloud, mobile app, and device interactions.
The discussion concludes with a Q&A session, where the speaker answers whether a security development lifecycle can be applied generically to IoT platforms. The answer is yes, but with caveats - there is no one-size-fits-all formula, and STL processes must be tailored to each product’s specific needs.