智能穿戴设备的安全与隐私威胁研究

doi:10.3969/j.issn.1671-1122.2022.10.014

摘要/Abstract

摘要：

文章从设备架构和数据通信两方面研究了智能穿戴设备广泛存在的安全问题。以Apple Watch为例，基于智能手表上敏感数据的存储和传输方式，提出敏感数据的提取模型，该模型创新性地结合设备本机及配对设备来分析智能穿戴设备收集存储的敏感数据存在的安全风险。文章通过提取实例验证了模型的有效性，智能手表类穿戴计算设备不仅具有采集大量敏感数据的能力，且在数据存储和配对机制方面存在安全与隐私威胁。文章提出的模型及实验验证过程对进一步研究物联网环境下的各类智能终端设备安全具有重要意义。

关键词: 智能穿戴设备, 安全, 隐私, 数据提取模型, Apple Watch

Abstract:

This paper studied the widespread security problems of smart wearable devices from two aspects: device architecture and data communication. Taking Apple Watch as an example, this paper proposed an extraction model of sensitive data based on the storage and transmission mode of sensitive data on the smart watch. This model innovatively combined the device itself and paired device, analyzed the sensitive data collected and stored by smart wearable devices and the existing security risks. Finally, the feasibility and validity of the proposed model was confirmed through the experiments. Wearable computing devices not only have the ability to collect a large amount of sensitive data, but also have security and privacy threats in data storage and pairing mechanism. The proposed model and the process of experimental verification is of great significance for further research on the security of various intelligent terminal devices in the Internet of Things.

Key words: smart wearable devices, security, privacy, data extraction model, Apple Watch

中图分类号:

TP309

倪雪莉, 王群, 梁广俊. 智能穿戴设备的安全与隐私威胁研究[J]. 信息网络安全, 2022, 22(10): 98-107.

NI Xueli, WANG Qun, LIANG Guangjun. Research on Security and Privacy Threats of Smart Wearable Devices[J]. Netinfo Security, 2022, 22(10): 98-107.

图/表 17

图1

表1

图2

表2

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

图14

表3

参考文献 20

[1]	SUN Wen, LIU Jiajia, ZHANG Haibin. When Smart Wearables Meet Intelligent Vehicles: Challenges and Future Directions[J]. IEEE Wireless Communications, 2017, 24(3): 58-65.
[2]	WALTER C, HALE M L, GAMBLE R F. Imposing Security Awareness on Wearables[C]// IEEE. 2016 IEEE/ACM 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS). Austin: IEEE, 2016: 29-35.
[3]	QIU Yue. Security Analysis for the Information of Wearable Devices[J]. Netinfo Security, 2016, 16(9): 79-83.
	裘玥. 智能可穿戴设备信息安全分析[J]. 信息网络安全, 2016, 16(9): 79-83.
[4]	MICHAEL K, MICHAEL M G. Apple Watch Temptation: Just Visit the App Store[J]. IEEE Consumer Electronics Magazine, 2015, 4(4): 120-122.
[5]	HATHALIYA J J, TANWAR S. An Exhaustive Survey on Security and Privacy Issues in Healthcare 4.0[J]. Computer Communications, 2020, 153: 311-335.
[6]	DO Q, MARTINI B, CHOO K. Is the Data on Your Wearable Device Secure? An Android Wear Smartwatch Case Study[J]. Software: Practice and Experience, 2017, 47(3): 391-403.
[7]	ZHANG Chi, SHAHRIAR H, RIAD A. Security and Privacy Analysis of Wearable Health Device[C]// IEEE. 2016 IEEE/ACM 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS). Madrid: IEEE, 2020: 1767-1772.
[8]	BARUA A, ALAMIN A A, HOSSAIN S, et al. Security and Privacy Threats for Bluetooth Low Energy in IoT and Wearable Devices: A Comprehensive Survey[J]. IEEE Open Journal of the Communications Society, 2022, 3: 251-281.
[9]	YANG Minghui, GUO Junqi, ZHAO Ziyun, et al. Teenager Health Oriented Data Security and Privacy Protection Research for Smart Wearable Device[J]. Procedia Computer Science, 2020, 174: 333-339.
[10]	DAS A K, WAZID M, KUMAR N, et al. Design of Secure and Lightweight Authentication Protocol for Wearable Devices Environment[J]. IEEE Journal of Biomedical and Health Informatics, 2018, 22(4): 1310-1322.
[11]	SIBONI S, SHABTAI A, TIPPENHAUER N O, et al. Advanced Security Testbed Framework for Wearable IoT Devices[J]. ACM Transactions on Internet Technology, 2016, 16(4): 1-26.
[12]	AHMAD M, ALQARNI M A, KHAN A, et al. Smartwatch-Based Legitimate User Identification for Cloud-Based Secure Services[EB/OL]. (2018-08-14)[2022-05-03]. https://www.hindawi.com/journals/misy/2018/5107024/.
[13]	LEE J, PARK S, KIM Y G, et al. Advanced Authentication Method by Geometric Data Analysis Based on User Behavior and Biometrics for IoT Device with Touchscreen[J]. Electronics, 2021, 10(21): 1-13.
[14]	LIU Wei, LIU Hong, WAN Yueliang, et al. The Yoking-Proof-Based Authentication Protocol for Cloud-Assisted Wearable Devices[J]. Personal & Ubiquitous Computing, 2016, 20(3): 469-479.
[15]	LIU Sha, HU Shun, WENG Jian, et al. A Novel Asymmetric Three-party Based Authentication Scheme in Wearable Devices Environment[J]. Journal of Network & Computer Applications, 2016, 60: 144-154.
[16]	DEY S, ROY N, XU W, et al. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable[C]// ISOC. 2014 Network and Distributed System Security Symposium. San Diego: ISOC, 2014: 1-16.
[17]	MICHALEVSKY Y, BONEH D, NAKIBLY G. Gyrophone: Recognizing Speech From Gyroscope Signals[C]// USENIX Association. 23rd USENIX Security Symposium. San Diego: USENIX, 2014: 1053-1067.
[18]	ZHANG Chen. NFC Lightweight Security Authentication Method in Internet of Things[D]. Xi’an: Xidian University, 2019.
	张晨. 物联网下NFC轻量级安全认证方法研究[D]. 西安: 西安电子科技大学, 2019.
[19]	WANG Ting, WANG Na, CUI Yunpeng, et al. The Optimization Method of Wireless Network Attacks Detection Based on Semi-Supervised Learning[J]. Journal of Computer Research and Development, 2020, 57(4): 791-802.
	王婷, 王娜, 崔运鹏, 等. 基于半监督学习的无线网络攻击行为检测优化方法[J]. 计算机研究与发展, 2020, 57(4): 791-802.
[20]	ZHAO Haoming. Research on Security Flaws and Attack Verification of Mobile Communication[D]. Chongqing: Chongqing University of Posts and Telecommunications, 2021.
	赵昊明. 移动通信网络安全缺陷研究与攻击验证[D]. 重庆: 重庆邮电大学, 2021.

通信方式	安全威胁
USB连接	若攻击者感染了穿戴设备所连接的设备（如手机、PC等）或拥有该设备的物理访问权限，则有可能通过USB连接获得穿戴设备上的所有数据
蓝牙	蓝牙低能耗（Bluetooth Low Energy, BLE）技术因其超低能耗、高数据传输速度、易于开发等特点，已成为物联网和智能穿戴设备的实际通信协议。由于该协议设计简单，所以存在大量的安全和隐私漏洞^[8]
NFC	最新的穿戴设备可以通过近场通信（Near Field Communication，NFC）技术进行通信。攻击者在近距离内会尝试以窃听、篡改、伪造身份^[18]等多种手段绕过正常的身份认证，获取敏感隐私数据，进而破坏系统的安全性
WiFi	较新的穿戴设备能够直接连接WiFi网络，在针对WiFi环境的网络攻击行为持续演化和升级的态势下^[19]，为恶意攻击者提供了强大的媒介
蜂窝移动网络	部分功能较强大的穿戴设备具备蜂窝移动网络功能（如Apple Watch），针对无线空口的各类攻击与漏洞不断出现并被公开披露^[20]，4G及5G网络存在的安全隐患，在穿戴设备上同样存在

提取方法	数据存储位置	提取内容
备份提取分析	配对iPhone的iTunes备份	Apple Watch设备信息、Apple Watch备份文件夹、健康数据备份
设备本机提取	Apple Watch设备本机	Apple Watch设备与应用信息、AFC媒体文件、Apple Watch日志
健康数据分析	“健康”App导出	运动轨迹、健康信息ECG心电图诊断报告

提取内容	备份提取	设备本机提取	健康数据分析
相册与照片		√
自定义表盘图片	√
Apple Watch设备信息	√	√
健康数据	√		√
运动轨迹			√
ECG心电图诊断报告			√
邮箱信息	√
电子钱包	√
应用程序列表与信息	√	√
缩略图文件		√
音乐文件		√
媒体购买记录等数据库		√
Apple Watch日志文件		√