X

With smart sneakers, privacy risks take a great leap

Privacy experts are waiting for the other shoe to drop on connected kicks.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
6 min read
dsc05415

The Nike Adapt BB, a pair of self-tying shoes, are controlled through an app. 

Ariel Nunez / CNET

I'm dribbling a basketball in one hand, with a phone in the other, adjusting the tightness on a pair of Nike's Bluetooth-connected, self-tying Adapt BB sneakers on my feet.

The futuristic shoes, which go on sale for $350 on Feb. 17, alternate between boa constrictor-tight and comfy slipper-loose as I toggle through the app like a child flicking a light switch for the first time.

Goofing around, I try to grab my colleague's phone so I can suffocate him via sneakers as we run around the basketball court at Nike's headquarters in New York. All of a sudden, he isn't trying to just play defense in basketball; he has to guard his phone, too.

Athletic apparel companies like Nike, Under Armour and Puma may find themselves similarly on the defensive as they lead the charge to infuse technology into their sneakers. After all, the smarter the object, the more likely it is to be hacked. It's a worrisome trend that industries are dealing with as they try to find the balance between adding convenience and protecting your privacy.

Watch this: Nike's self-lacing sneaker will be worn in the NBA

Being aware of the potential security risks is even more critical for fitness apps, considering that people are more likely to share sensitive information like location, running routes and health routines. Fitness tracker Strava's "Global Heatmap" had a privacy fiasco a year ago when it was revealing exercise routes around secret US military positions.

"These manufacturers are going to be subject to the same issues that our social networks are now under the microscope of," said Brian Cleary, vice president of marketing at RedPoint Global, a customer data company.

And while people will be buying smart sneakers for tech features like self-tying laces, the future is in the apps, Nike executives say.

"In the future, the app will be that bridge to the powered athlete," said Jordan Rice, Nike's director of smart systems engineering.

Once you put a device online, you're introducing a new opportunity for attacks, whether it's a Nest Camera blaring alarms or your smart TV playing a PewDiePie promotional clip. And shoes are hardly the first thing to go "smart" -- there's everything from litter boxes to weights and pillows.

Nike's Adapt BBs aren't even the first pair of smart shoes. Under Armour has been making connected kicks for a while now -- it's on its fourth generation with its HOVR line, with an embedded chip that tracks your footsteps and running pace. Puma also entered the self-tying shoe world with the Puma Fit Intelligence line, which it announced Jan. 31.

Nike and Under Armour say they're taking data privacy and security seriously with their new shoes. Puma, which is expecting its self-tying sneakers release in 2020, didn't offer details on its shoe security protocol.

"On top of the Bluetooth security layers, we implemented a two-way authentication protocol to guarantee only the users' device can control their shoes," Nike said in a statement. "Players can play with confidence knowing that they, and only they, control their shoes."

Just for kicks

As I'm walking around at the tightest setting available for the Adapt BBs, I think about how awful it would be if a star athlete was trapped in these shoes because of a hijacked phone. Or worse, if it were me!

Admittedly, it's an unlikely scenario. It's only possible if somebody steals my phone and is within Bluetooth distance of the shoes.

On top of the Adapt BB's wireless security, the shoe is locked to the device you first paired it with. Even if someone else had your account information, they wouldn't be able to log in from a distance and tighten your shoes from another phone, according to Nike.

While Nike says it's kept its connected sneakers safe from hackers, the concern is that as more companies try to make connected shoes, the chances of having a shoe eventually hacked will increase.

"Nike has the size and resources to do this well," said Andrew Tierney, a security researcher with Pen Test Partners. "I think the worry is about other vendors coming along. It could be the case that they would cut corners."

Tied up

The Adapt BBs pair with Nike's app through Bluetooth Low Energy, a connection protocol that's often used in smart devices because it allows for longer battery life. The sneaker connection is encrypted, a Nike spokesman said.

But Bluetooth Low Energy isn't impervious. Security researchers have found issues with BLE chips that could have allowed hackers to spread malware across hospitals and factories.

Several smart locks have been hacked over BLE, according to researchers.

"BLE, in the last year, has shown to be hand-in-hand with bad security," Tierney said.

The security firm's focus has been on products like locks and alarms, and fortunately, there's a big difference between smart locks and sneakers when it comes to security via BLE.

"With sneakers, you're only going to have one person and one device paired to it. When you're looking at a door lock, four to five people are supposed to be able to control it," Tierney said. "It's very easy to make Bluetooth pair to one device securely."

Soft 'wear' security

With connected shoes, there are more concerns than just messing with your sneaker's fit.

These shoes are collecting data, like your steps, running pace and, in some cases, your height and weight. They're using that data to make better sneakers, and also feeding it to artificial intelligence to offer you coaching tips for a better workout.

sp19-bb-nike-adapt-shoe-screen-vert-01012019-re-native-1600

Nike's app will do more than just control the laces on your sneakers. The company wants to collect data through the app to help athletes with their performance.

Nike

"We are essentially putting a mobile research lab on the feet of athletes all over the world, and creating a whole new frontier to accelerate both product development and sports science," Michael Donaghu, Nike's vice president of innovation, said at an event last month.

It makes sense that people are willing to share information with fitness apps, which they downloaded to help them live healthier lives. But the apps can't help unless you hand over information like your diet and exercise routine.

"Even with all of the privacy breach issues, consumers are still willing to give information," Cleary said. "You just gotta show them what they get in return."

It means trusting companies like Nike and Under Armour with your workout information, the same way that Facebook and Google hope you trust them with data about your social life.

Unlike social networks, though, sneaker companies aren't looking to make money off of your data -- at least directly.

Under Armour's privacy policy allows it to share your data for advertising and marketing purposes, and when you run, it can share your location data with third parties for personalized ads, with consent.

App worries

Nike and Under Armour say they have no plans to sell or share the information they collect with third parties. But just because they don't have plans to share that data doesn't mean it can't be stolen.

Last March, Under Armour said its MyFitnessPal app had been hacked, with thieves stealing data including usernames, email addresses and hashed passwords, from 150 million accounts.

img-2478

Inside the shoebox for Under Armour's new line of HOVR sneakers, which have a chip inside that tracks your steps and running activity.

Alfred Ng / CNET

To use the connected footwear features on Under Armour's new HOVR sneakers, you need to make an account and connect it with their the MapMyRun app, which has 260 million users. The app doesn't have two-factor authentication, a standard security feature for protecting accounts from hackers.

"We continually evaluate the privacy and security of our apps with keen attention to current privacy and security industry standards," a company spokeswoman said in a statement.

So even if the sneakers themselves are properly secured, the apps are another risk that come with connected shoes. 

"We've seen this with fitness-tracking apps. There's lots of things where the actual device is secure, but the cloud service behind it is awful," Tierney said. "There's potential for abuse there."

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.