Do Wearable Devices Spill Secrets?Sizing Up the Privacy Risks of Fitness-Tracking Apps
Apps for wearable devices that are designed to track a user's pulse rate, blood-oxygen level or location may be leaking that personal data. That warning was sounded by Symantec security researcher Candid WÃ¼eest in an Oct. 16 briefing at the Black Hat Europe conference in Amsterdam.
See Also: 2016 State of Threat Intelligence Study
The researcher said the leaked data could enable account hijacking or targeted spam attacks and reveal a user's location, leading to privacy concerns and, in a worst-case scenario, the potential for the information to be abused by extortionists or stalkers (see Privacy Controls for Fitness Devices?).
Compounding that concern was the finding that each app shares personal data with - on average - five sites. Those sites vary from app-related analytics sites and advertising networks to social media sites and marketing networks. One of the apps, meanwhile, shared the recorded data with 14 sites.
WÃ¼eest also found that 20 percent of the studied apps were transmitting login credentials in clear text, meaning that they could be intercepted by anyone connected to the same public WiFi hotspot as one of the devices, or who planted a Bluetooth sniffer within range of one of the devices. Some of the other applications, while they did encrypt credentials, failed to encrypt the personal data being transmitted, which an attacker might use to deduce the identity of the user. Finally, many app makers and device manufacturers failed to secure the information being stored on their site, meaning that an enterprising hacker could access all personal data that had been uploaded from devices tied to the service.
To study the types of data that fitness-tracking devices and apps leak, WÃ¼eest earlier this year built several Bluetooth trackers at a cost of $75 each, composed of a Raspberry Pi computer - seemingly de rigeuer for this year's Black Hat presentations - as well as a Bluetooth 4.0 dongle, battery pack and SD card. He then secreted these scanners at the starting line and midway point of a Dublin mini-marathon this past summer. "We thought most people would use their Fitbits if they had one," he said, referring to a popular fitness-tracking device.
Tracking individual devices turned out to be easy, because none were randomizing their MAC address. All told, WÃ¼eest's Bluetooth sniffers recorded 563 different fitness-related devices, including Fitbit Flex - the most popular - as well as Jawbone, Pebble "smartwatches," Polar sports watches and Nike+ shoe sensors. Of the devices found, 30 were broadcasting not only personal data, but also device names that, in many cases, appeared to refer to the user's real name - tying the data to the user.
"Spammers would love it, because you get the e-mail address, the real name, and a context, because if you go back, you can see, for example, how many kilos [of weight] you're trying to lose," he said.
Missing: Data Encryption
None of the devices that he tracked were encrypting personal data before transmitting it. "Bluetooth actually allows you to use encryption, but so far I haven't seen any of the devices using encryption, although it could be that it would drain the battery life a little more quickly," he said.
At the Black Hat briefing, one attendee asked WÃ¼eest why self-tracking device manufacturers and app developers aren't prioritizing security and privacy. "That's a question we've been asking for 10 years or longer," he replied. "Oftentimes it's, 'We haven't heard any complaints from users,' or 'Why would someone track you?'"
On a related note, WÃ¼eest has been crawling the halls of Black Hat with his scanner. But by the start of his presentation, he'd only recorded eight devices in total, one of which was being worn by a conference-site employee. Admittedly, however, his briefing was scheduled for the morning of Oct. 16 - the first day - leaving him little time to amass related data. But he promised to update those statistics before the conference's end.
Seeking Privacy Brokers