Do Wearable Devices Spill Secrets?

Sizing Up the Privacy Risks of Fitness-Tracking Apps
Do Wearable Devices Spill Secrets?
Candid Wüeest

Apps for wearable devices that are designed to track a user's pulse rate, blood-oxygen level or location may be leaking that personal data. That warning was sounded by Symantec security researcher Candid Wüeest in an Oct. 16 briefing at the Black Hat Europe conference in Amsterdam.

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

The researcher said the leaked data could enable account hijacking or targeted spam attacks and reveal a user's location, leading to privacy concerns and, in a worst-case scenario, the potential for the information to be abused by extortionists or stalkers (see Privacy Controls for Fitness Devices?).

In a study of the top 100 most popular personal fitness-tracking apps on both the Apple Store and Google Play, Wüeest found that information being transmitted by the apps often included the user's name, e-mail, password, birthday and target weight, as well as their Facebook and Google access tokens. Alarmingly, however, 52 percent of those apps offered users no privacy policy, "which leaves you with a fuzzy feeling of, they could do anything with your information - and legally, it might be tough to pursue them for any potential damages," he said.

Compounding that concern was the finding that each app shares personal data with - on average - five sites. Those sites vary from app-related analytics sites and advertising networks to social media sites and marketing networks. One of the apps, meanwhile, shared the recorded data with 14 sites.

Wüeest also found that 20 percent of the studied apps were transmitting login credentials in clear text, meaning that they could be intercepted by anyone connected to the same public WiFi hotspot as one of the devices, or who planted a Bluetooth sniffer within range of one of the devices. Some of the other applications, while they did encrypt credentials, failed to encrypt the personal data being transmitted, which an attacker might use to deduce the identity of the user. Finally, many app makers and device manufacturers failed to secure the information being stored on their site, meaning that an enterprising hacker could access all personal data that had been uploaded from devices tied to the service.

Sniffing Test

To study the types of data that fitness-tracking devices and apps leak, Wüeest earlier this year built several Bluetooth trackers at a cost of $75 each, composed of a Raspberry Pi computer - seemingly de rigeuer for this year's Black Hat presentations - as well as a Bluetooth 4.0 dongle, battery pack and SD card. He then secreted these scanners at the starting line and midway point of a Dublin mini-marathon this past summer. "We thought most people would use their Fitbits if they had one," he said, referring to a popular fitness-tracking device.

Tracking individual devices turned out to be easy, because none were randomizing their MAC address. All told, Wüeest's Bluetooth sniffers recorded 563 different fitness-related devices, including Fitbit Flex - the most popular - as well as Jawbone, Pebble "smartwatches," Polar sports watches and Nike+ shoe sensors. Of the devices found, 30 were broadcasting not only personal data, but also device names that, in many cases, appeared to refer to the user's real name - tying the data to the user.

"Spammers would love it, because you get the e-mail address, the real name, and a context, because if you go back, you can see, for example, how many kilos [of weight] you're trying to lose," he said.

Missing: Data Encryption

None of the devices that he tracked were encrypting personal data before transmitting it. "Bluetooth actually allows you to use encryption, but so far I haven't seen any of the devices using encryption, although it could be that it would drain the battery life a little more quickly," he said.

At the Black Hat briefing, one attendee asked Wüeest why self-tracking device manufacturers and app developers aren't prioritizing security and privacy. "That's a question we've been asking for 10 years or longer," he replied. "Oftentimes it's, 'We haven't heard any complaints from users,' or 'Why would someone track you?'"

On a related note, Wüeest has been crawling the halls of Black Hat with his scanner. But by the start of his presentation, he'd only recorded eight devices in total, one of which was being worn by a conference-site employee. Admittedly, however, his briefing was scheduled for the morning of Oct. 16 - the first day - leaving him little time to amass related data. But he promised to update those statistics before the conference's end.

Seeking Privacy Brokers

One potential fix for personal-tracking privacy concerns, Wüeest said, might be for developers to tap Apple HealthKit, Google Fit or Samsung Architecture Multimodal Interactions to serve as data brokers. Apple, for example, won't allow any third party to access HealthKit unless it first has a privacy policy in place. Pending those sorts of promises, however, he warned would-be users to keep a close eye on personal-tracking device and app builders' privacy assurances.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network