Author: |
林宜瑱 Yi-Chen Lin |
---|---|
Thesis Title: |
穿戴式裝置之安全威脅與防禦方法 Security Threats and Their Defensive Methods for Wearable Devices |
Advisor: |
吳宗成
Tzong-Chen Wu |
Committee: |
何煒華
林炫佑 |
Degree: |
碩士 Master |
Department: |
管理學院 - 資訊管理系 Department of Information Management |
Thesis Publication Year: | 2024 |
Graduation Academic Year: | 112 |
Language: | 中文 |
Pages: | 57 |
Keywords (in Chinese): | 穿戴式裝置 、物聯網 、安全 、存取控制 、隱私保護 |
Keywords (in other languages): | Wearable devices, Internet of Things, Security, Access control, Privacy Protection |
Reference times: | Clicks: 592 Downloads: 13 |
Share: |
School Collection Retrieve National Library Collection Retrieve Error Report |
在 Covid-19 的影響下,穿戴式裝置(Wearable Devices)在現代生活中的應用日益廣泛,從健康監測到運動的追蹤,皆能透過設備提供個人數據分析及便利的服務。然而,穿戴式裝置的普及,面臨的安全威脅也日益增加。因此,本研究以穿戴式裝置安全為主軸,深入探討其硬體、軟體、通訊及資料,以分析其安全性及安全風險因素,並且探討潛在的安全威脅來源,包含數據洩漏、存取控制、惡意軟體感染等風險,皆會影響機密性、完整性、可用性、鑑別性及隱私保護等安全特性,其中隱私問題已逐漸受到使用者的關注。本研究亦探討穿戴式裝置在實務應用中的安全挑戰,因此,本論文透過標準及法規針對穿戴式裝置提出相應的防禦對策與建議,以確保穿戴式裝置的安全性。
Under the influence of Covid-19, the application of wearable devices in modern life has become increasingly widespread. From health monitoring to fitness tracking, these devices provide personal data analysis and convenient services. However, the proliferation of wearable devices also faces increasing security threats. Therefore, this study focuses on the security of wearable devices, delving into their hardware, software, communications, and data to analyze their security and risk factors. It explores potential sources of security threats, including data leakage, access control, malware infection, etc., which all affect security attributes such as confidentiality, integrity, availability, authenticity, and privacy protection. Privacy issues, in particular, have increasingly attracted user attention. This study also examines the security challenges of wearable devices in practical applications. Thus, this paper proposes corresponding defensive measures and recommendations for wearable devices based on standards and regulations to ensure their security.
[1] e-GOV,“個人資訊保護法(2003 年第 57 號法)。” 檢自於:https://elaws.e-gov.go.jp/document?lawid=415AC0000000057_20240401_505AC0000000079&keyword=個人情報保護法 (2020)
[2] 中央網路安全和訊息化委員辦公室,“ 中華人民共和國網路安全法。” 檢自於:https://www.cac.gov.cn/2016-11/07/c_1119867116_2.htm (November 07, 2016)
[3] 全國法規資料庫,“個人資料保護法。” 檢自於:https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=I0050021 (July 11, 2024)
[4] 邱意嵐,“物聯網伺服器之安全檢查與防護-以IoTtalk 為例。”臺灣博碩士論文知識加值系統。(July 25, 2020).
[5] 3GPP, “Specifications & Technologies Release 8,” (2008)
[6] 3GPP, “Specifications & Technologies Release 13,” (2016)
[7] Apple, “Specification of Apple Watch,” Retrieved from https://www.apple.com/tw/watch/compare/ (June 10, 2024)
[8] G. Aroganam, N. Manivannan, and D. Harrison, “Review on Wearable Technology Sensors Used in Consumer Sport Applications,” Sensors, 2019, 19, 1983. https://doi.org/10.3390/s19091983 (March 24, 2019)
[9] O. Apilo, J. Mäkelä and A. Kuosmonen, “Evaluation of Cellular IoT for Sport Wearables,” 2019 IEEE 30th International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC Workshops), Istanbul, Turkey, 2019, pp. 1-7. doi: 10.1109/PIMRCW.2019.8880850. (October 24, 2019)
[10] Australian Government Office of the Australian Information Commissioner, “Privacy Act 1988,” Retrieved from https://www.legislation.gov.au/C2004A03712/latest/text (July 06, 2024)
[11] Australian Government Office of the Australian Information Commissioner, “Australian Privacy Principles,” Retrieved from https://www.oaic.gov.au/privacy/australian-privacy-principles (July 06, 2024)
[12] J. K Becker, D. Li, and D. Starobinski, “Tracking Anonymized Bluetooth Devices,” sciendo. Volume: 2019, Issue: 3, Pages: 50-65, doi: https://doi.org/10.2478/popets-2019-0036 (2019)
[13] A. Barua, M. A. Al Alamin, M. S. Hossain and E. Hossain, “Security and Privacy Threats for Bluetooth Low Energy in IoT and Wearable Devices: A Comprehensive Survey,” in IEEE Open Journal of the Communications Society, vol. 3, pp. 251-281, 2022, doi: 10.1109/OJCOMS.2022.3149732. (February 07, 2022)
[14] S. Banerjee, T. Hemphill, and P. Longstreet, “Wearable devices and healthcare: Data sharing and privacy,” The Information Society, 34(1), 49–57. https://doi.org/10.1080/01972243.2017.1391912 (December 27, 2017)
[15] F. Blow, Y. H. Hu, and M. A. Hoppa, “A Study on Vulnerabilities and Threats to Wearable Devices,” Journal of The Colloquium for Information SystemsSecurity Education, Volume 7, No. 1, Summer2020 (July 30, 2020)
[16] Bluetooth, “Bluetooth Technology Overview,” Retrieved from https://www.bluetooth.com/learn-about-bluetooth/tech-overview/ (June 15, 2024)
[17] Y. Cheng, K. Wang, H. Xu, T. Li, Q. Jin, and D. Cui, “Recent developments in sensors for wearable device applications,” Anal Bioanal Chem 413, 6037–6057 (July 06, 2021)
[18] K. W. Ching and M. M. Singh, “Wearable Technology Devices Security and Privacy Vulnerability Analysis,” International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3 (May, 2016)
[19] CVE,“Overview,” Retrieved from https://www.cve.org/About/Overview (June 24, 2024)
[20] California Legislative Information, “AB-375 Privacy: personal information: businesses,” Retrieved from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 (June 15, 2024)
[21] Data Bridge Market Research. “Global Wearable Devices Market – Industry Trends and Forecast to 2031,” Data Bridge Market Research, April 2024, Retrieved from https://www.databridgemarketresearch.com/reports/global-wearable-devices-market.
[22] A. Dhammawat, “WPA3: Bringing Robust Security for Wi-Fi Networks,” Cisco Blogs, Networking (June 03, 2021)
[23] ETSI, “ETSI EN 303 645 Cyber Security for Consumer Internet of Things: Baseline Requirements” (June, 2020)
[24] K. U. Echenim, L. Elluri and K. P. Joshi, “Ensuring Privacy Policy Compliance of Wearables with IoT Regulations,” 2023 5th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA), Atlanta, GA, USA, 2023, pp. 247-256. (February 16, 2023)
[25] J. Fowler, “Report: Fitness Tracker Data Breach Exposed 61 Million Records and User Data Online, ” Website Planet, June 2021, Retrieved from https://www.websiteplanet.com/blog/gethealth-leak-report/ (June 10, 2024)
[26] Fitbit, “Specification of charge6,” Retrieved from https://www.fitbit.com/global/tw/products/trackers/charge6?sku=431BKBK (June 10, 2024)
[27] FDA, “Medical Devices/ Digital Health Center of Excellence/ Cybersecurity,” Retrieved from https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity (July 12, 2024)
[28] FDA, “Postmarket Management of Cybersecurity in Medical Devices,” Guidance for Industry and Food and Drug Administration Staff (December 28, 2016)
[29] FDA, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” Guidance for Industry and Food and Drug Administration Staff (September 27, 2023)
[30] S. T. A. Guadalupe, M. J. G. González, L. P. R. Pérez, and L. J. G. Villalba, “Cybersecurity Analysis of Wearable Devices: Smartwatches Passive Attack,” Sensors. 2023; 23(12):5438. (June 08, 2023)
[31] Garmin, “Specification of Garmin Lily 2,” Retrieved from https://www.garmin.com.tw/products/wearables/lily2-classic-gold-tan/#specsTab (June 10, 2024)
[32] A. Halbouni, L. Y. Ong, and M. C. Leow, “Wireless Security Protocols WPA3: A Systematic Literature Review,” in IEEE Access, vol. 11, pp. 112438-112450, 2023, doi: 10.1109/ACCESS.2023.3322931. (October 09, 2023)
[33] HHS, “Your Rights Under HIPAA,” Retrieved from https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html (June 06, 2024)
[34] X. Huang, Y. Xue, S. Ren, and F. Wang, “Sensor-Based Wearable Systems for Monitoring Human Motion and Posture: A Review,” Sensors 2023, 23, 9047. https://doi.org/10.3390/s23229047 (September 29, 2023)
[35] ITU, “ITU-T Recommendations,” (June, 2012)
[36] IEEE, “360-2022 - IEEE Standard for Wearable Consumer Electronic Devices--Overview and Architecture,” IEEE Std 360-2022 , vol., no., pp.1-35, doi: 10.1109/IEEESTD.2022.9762855 (April 25, 2022)
[37] IEEE, “360-2022 - IEEE Standard for Wearable Consumer Electronic Devices--Overview and Architecture,” in IEEE Std 360-2022, vol., no., pp.1-35, 25 April 2022, doi: 10.1109/IEEESTD.2022.9762855. (April 25, 2022)
[38] Intersoft Consulting, “General Data Protection Regulation (GDPR),” in the current version of the OJ L 119, 04.05.2016. (May 04, 2016)
[39] S. Joshi, S. Stalin, P. K. Shukla, P. K. Shukla, R. Bhatt, R. S. Bhadoria, and B. Tiwari, “Unified Authentication and Access Control for Future Mobile Communication-Based Lightweight IoT Systems Using Blockchain,” Wiley Online Library, https://doi.org/10.1155/2021/8621230 (December 17, 2021)
[40] V. Kapoor., R. Singh, R. Reddy, and P. Churi, “Privacy Issues in Wearable Technology: An Intrinsic Review,” The Information Society 34 (1):49–57. 2018. (April 06, 2020)
[41] N. Li, D. Liu and S. Nepal, "Lightweight Mutual Authentication for IoT and Its Applications," in IEEE Transactions on Sustainable Computing, vol. 2, no. 4, pp. 359-370, 1 Oct.-Dec. 2017, doi: 10.1109/TSUSC.2017.2716953. (June 19, 2017)
[42] B. Lutkevich, “Access control,” TechTarget, Retrieved from https://www.techtarget.com/searchsecurity/definition/access-control (July, 2022)
[43] S. Moganedi and D. Pottas, “Identification of Information Security Controls for Fitness Wearable Manufacturers,” Information and Cyber Security, ISSA 2020. Communications in Computer and Information Science, vol 1339. Springer, Cham. (December 19, 2020)
[44] Mitre, “Common Weakness Enumeration(CWE),” Retrieved from https://cwe.mitre.org/about/ (2024)
[45] S. Mandal, B. Bera, A. K. Sutrala, A. K. Das, K. -K. R. Choo and Y. Park, “Certificateless-Signcryption-Based Three-Factor User Access Control Scheme for IoT Environment,” in IEEE Internet of Things Journal, vol. 7, no. 4, pp. 3184-3197, April 2020, doi: 10.1109/JIOT.2020.2966242. (January 13, 2020)
[46] NIST, “NIST IR 8228-1 Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks” (June, 2019)
[47] NIST, “NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations,” (September 23, 2020)
[48] NIST, “Lightweight Cryptography,” Retrieved from https://csrc.nist.gov/projects/lightweight-cryptography (July 07, 2024)
[49] NIST, “NIST Selects ‘Lightweight Cryptography’ Algorithms to Protect Small Devices,” Retrieved from https://www.nist.gov/news-events/news/2023/02/nist-selects-lightweight-cryptography-algorithms-protect-small-devices (February 07, 2023)
[50] OWASP, “OWASP IoT Top 10 2018 Mapping Project,” Retrieved from https://github.com/scriptingxss/OWASP-IoT-Top-10-2018-Mapping (May 19, 2024)
[51] OWASP, “Introducing the OWASP IoT Security Testing Guide (ISTG), ” Retrieved from https://owasp.org/blog/2024/03/01/iot-security-testing-guide.html (May 24, 2024)
[52] OWASP, “OWASP Top 10,” Retrieved from https://owasp.org/www-project-top-ten/ (2021)
[53] OWASP, “OWASP SAMM,” Retrieved from https://owasp.org/www-project-samm/ (June 23, 2024)
[54] O. I. Obaid, and S. A. B. Salman, “Security and Privacy in IoT-based Healthcare Systems: A Review,” Mesopotamian journal of Computer Science Vol. (2022), 2022, pp 29-40. DOI: https://doi.org/10.58496/MJCSC/2022/007; ISSN: 2958-6631 (April, 2023)
[55] Y. G. Park; S. Lee, and J. U. Park, “Recent Progress in Wireless Sensors for Wearable Electronics,” Sensors 2019, 19, 4353. https://doi.org/10.3390/s19204353 (August 28, 2019)
[56] D. Rupprecht, K. Kohls, T. Holz, and C. Popper, “Breaking {LTE} on Layer Two,” 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2019, pp. 1121-1136, doi: 10.1109/SP.2019.00006 (May, 2019)
[57] P. Rajivan and E. Aharonov-Majar, Cleotilde Gonzalez, “Update now or later? Effects of experience, cost, and risk preference on update decisions,” Journal of Cybersecurity, Volume 6, Issue 1, 2020, tyaa002, https://doi.org/10.1093/cybsec/tyaa002 (March 06, 2020)
[58] A. Rami, R. Wazirali, and T. Abu-Ain, “Machine Learning for Wireless Sensor Networks Security: An Overview of Challenges and Issues,” MDPI Sensors 2022, 22, no. 13: 4730. (June 23, 2022)
[59] T. Rontti, A. M. Juuso, and A. Takanen, “Preventing DoS attacks in NGN networks with proactive specification-based fuzzing,” IEEE Communications Magazine, vol. 50, no. 9, pp. 164-170, September 2012, doi: 10.1109/MCOM.2012.6295728.
[60] Samsung, “Specification of Galaxy Watch6,” Retrieved from https://www.samsung.com/tw/watches/galaxy-watch/galaxy-watch6-40mm-gold-bluetooth-sm-r930nzeabri/#specs (June 10, 2024)
[61] Samsung, “Samsung Find,” Retrieved from https://www.samsung.com/tw/apps/samsung-find/ (July 06, 2024)
[62] Singapore Statutes Online, “Personal Data Protection Act 2012,” Retrieved from https://sso.agc.gov.sg/Act/PDPA2012?ProvIds=P11-#P11- (July 11, 2024)
[63] Synopsys, “Fuzz Testing,” Retrieved from https://www.synopsys.com/glossary/what-is-fuzz-testing.html#A (05 May 2024)
[64] S.S Sahoo, S. Mohanty, and B. A. Majhi, “secure three factor based authentication scheme for health care systems using IoT enabled devices,” J Ambient Intell Human Comput 12, 1419–1434 (2021). https://doi.org/10.1007/s12652-020-02213-6 (July 09, 2020)
[65] T.G. Stavropoulos, A. Papastergiou, L. Mpaltadoros, S. Nikolopoulos, and I. Kompatsiaris, “IoT Wearable Sensors and Devices in Elderly Care: A Literature Review,” Sensors 2020, 20, 2826. https://doi.org/10.3390/s20102826 (April 15, 2020)
[66] S. Saafi, J. Hosek and A. Kolackova, “Cellular-enabled Wearables in Public Safety Networks: State of the Art and Performance Evaluation,” 2020 12th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), Brno, Czech Republic, 2020, pp. 201-207, doi: 10.1109/ICUMT51630.2020.9222459. (October 14, 2020)
[67] UL Standards Sales Site, “ANSI/CAN/UL Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements” (June 05, 2020)
[68] UL Standards Sales Site, “Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems” (November 06, 2020)
[69] UL Standards Sales Site, “Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems” (March 30, 2016)
[70] UL Standards Sales Site, “ANSI/CAN/UL Standard for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems” (January 31, 2020)
[71] UL Solutions, “UL Cybersecurity Assurance Program (UL CAP),” Retrieved from https://www.ul.com/services/ul-cybersecurity-assurance-program-ul-cap (May 23, 2024)
[72] M. Vanhoef, “FragAttacks,” May 11, 2021, Retrieved from https://www.fragattacks.com/ (June 10, 2024)
[73] V. Vijayan, J. P. Connolly, J. Condell, N. McKelvey, and P. Gardiner, “Review of Wearable Devices and Data Collection Considerations for Connected Health,” Sensors 2021, 21(16), 5589; https://doi.org/10.3390/s21165589 (June 04, 2021)
[74] F. Wu, X. Li, L. Xu, P. Vijayakumar and N. Kumar, “A Novel Three-Factor Authentication Protocol for Wireless Sensor Networks With IoT Notion,” in IEEE Systems Journal, vol. 15, no. 1, pp. 1120-1129, March 2021, doi: 10.1109/JSYST.2020.2981049. (April 28, 2020)
[75] Wi-Fi Alliance, “WPA3 Specification Version 3.3,” (2024)
[76] Z. Wang, P. Sun, N. Luo and B. Guo, “A Three-Party Mutual Authentication Protocol for Wearable IOT Health Monitoring System,” 2021 IEEE International Conference on Smart Internet of Things (SmartIoT), Jeju, Korea, Republic of, 2021, pp. 344-347, doi: 10.1109/SmartIoT52359.2021.00063. (August, 2021)
[77] Q. Zhai, F. Xiang, F. Cheng, Y. Sun, X. Yang, W. Lu, and L. Dai, “Recent advances in flexible/stretchable batteries and integrated devices,” Energy Storage Materials, Volume 33, 2020, Pages 116-138 (July, 2020)
[78] C. Zhang and H. Shahriar, “The Adoption, Issues, and Challenges of Wearable Healthcare Technology for the Elderly,” In Proceedings of the 21st Annual Conference on Information Technology Education (SIGITE '20). Association for Computing Machinery, New York, NY, USA, 50–53. 2020. (October 07, 2020)