Ariel Nunez / CNET
I’m dribbling a basketball in one hand, with a phone in the other, adjusting the tightness on a pair of Nike’s Bluetooth-connected,on my feet.
The futuristic shoes, which, alternate between boa constrictor-tight and comfy slipper-loose as I toggle through the app like a child flicking a light switch for the first time.
Goofing around, I try to grab my colleague’s phone so I can suffocate him via sneakers as we run around the basketball court at Nike’s headquarters in New York. All of a sudden, he isn’t trying to just play defense in basketball; he has to guard his phone, too.
Athletic apparel companies like Nike, Under Armour and Puma may find themselves similarly on the defensive as they lead the charge to infuse technology into their sneakers. After all, the smarter the object, the more likely it is to be hacked. It’s a worrisome trend that industries are dealing with as they try to find the balance between adding convenience and protecting your privacy.
Being aware of the potential security risks is even more critical for fitness apps, considering that people are more likely to share sensitive information like location, running routes and health routines. Fitness tracker Strava’s “Global Heatmap” had a privacy fiasco a year ago when it was revealing exercise routes around secret US military positions.
“These manufacturers are going to be subject to the same issues that our social networks are now under the microscope of,” said Brian Cleary, vice president of marketing at RedPoint Global, a customer data company.
And while people will be buying smart sneakers for tech features like self-tying laces, the future is in the apps, Nike executives say.
“In the future, the app will be that bridge to the powered athlete,” said Jordan Rice, Nike’s director of smart systems engineering.
Once you put a device online, you’re introducing a new opportunity for attacks, whether it’s a Nest Camera blaring alarms or your smart TV playing a PewDiePie promotional clip. And shoes are hardly the first thing to go “smart” — there’s everything from litter boxes to weights and pillows.
Nike’s Adapt BBs aren’t even the first pair of smart shoes. Under Armour has been making connected kicks for a while now — it’s on its fourth generation with its HOVR line, with an embedded chip that tracks your footsteps and running pace. Puma also entered the self-tying shoe world with the Puma Fit Intelligence line, which it announced Jan. 31.
Nike and Under Armour say they’re taking data privacy and security seriously with their new shoes. Puma, which is expecting its self-tying sneakers release in 2020, didn’t offer details on its shoe security protocol.
“On top of the Bluetooth security layers, we implemented a two-way authentication protocol to guarantee only the users’ device can control their shoes,” Nike said in a statement. “Players can play with confidence knowing that they, and only they, control their shoes.”
Just for kicks
As I’m walking around at the tightest setting available for the Adapt BBs, I think about how awful it would be if a star athlete was trapped in these shoes because of a hijacked phone. Or worse, if it were me!
Admittedly, it’s an unlikely scenario. It’s only possible if somebody steals my phone and is within Bluetooth distance of the shoes.
On top of the Adapt BB’s wireless security, the shoe is locked to the device you first paired it with. Even if someone else had your account information, they wouldn’t be able to log in from a distance and tighten your shoes from another phone, according to Nike.
While Nike says it’s kept its connected sneakers safe from hackers, the concern is that as more companies try to make connected shoes, the chances of having a shoe eventually hacked will increase.
“Nike has the size and resources to do this well,” said Andrew Tierney, a security researcher with Pen Test Partners. “I think the worry is about other vendors coming along. It could be the case that they would cut corners.”
The Adapt BBs pair with Nike’s app through Bluetooth Low Energy, a connection protocol that’s often used in smart devices because it allows for longer battery life. The sneaker connection is encrypted, a Nike spokesman said.
But Bluetooth Low Energy isn’t impervious. Security researchers have found issues with BLE chips that could have allowed hackers to spread malware across hospitals and factories.
Several smart locks have been hacked over BLE, according to researchers.
“BLE, in the last year, has shown to be hand-in-hand with bad security,” Tierney said.
The security firm’s focus has been on products like locks and alarms, and fortunately, there’s a big difference between smart locks and sneakers when it comes to security via BLE.
“With sneakers, you’re only going to have one person and one device paired to it. When you’re looking at a door lock, four to five people are supposed to be able to control it,” Tierney said. “It’s very easy to make Bluetooth pair to one device securely.”
Soft ‘wear’ security
With connected shoes, there are more concerns than just messing with your sneaker’s fit.
These shoes are collecting data, like your steps, running pace and, in some cases, your height and weight. They’re using that data to make better sneakers, and also feeding it to artificial intelligence to offer you coaching tips for a better workout.
“We are essentially putting a mobile research lab on the feet of athletes all over the world, and creating a whole new frontier to accelerate both product development and sports science,” Michael Donaghu, Nike’s vice president of innovation, said at an event last month.
It makes sense that people are willing to share information with fitness apps, which they downloaded to help them live healthier lives. But the apps can’t help unless you hand over information like your diet and exercise routine.
“Even with all of the privacy breach issues, consumers are still willing to give information,” Cleary said. “You just gotta show them what they get in return.”
It means trusting companies like Nike and Under Armour with your workout information, the same way that Facebook and Google hope you trust them with data about your social life.
Unlike social networks, though, sneaker companies aren’t looking to make money off of your data — at least directly.
Nike and Under Armour say they have no plans to sell or share the information they collect with third parties. But just because they don’t have plans to share that data doesn’t mean it can’t be stolen.
Last March, Under Armour said its MyFitnessPal app had been hacked, with thieves stealing data including usernames, email addresses and hashed passwords, from 150 million accounts.
Alfred Ng / CNET
To use the connected footwear features on Under Armour’s new HOVR sneakers, you need to make an account and connect it with their the MapMyRun app, which has 260 million users. The app doesn’t have two-factor authentication, a standard security feature for protecting accounts from hackers.
“We continually evaluate the privacy and security of our apps with keen attention to current privacy and security industry standards,” a company spokeswoman said in a statement.
So even if the sneakers themselves are properly secured, the apps are another risk that come with connected shoes.
“We’ve seen this with fitness-tracking apps. There’s lots of things where the actual device is secure, but the cloud service behind it is awful,” Tierney said. “There’s potential for abuse there.”
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad services that will change your life.