Symantec, the makers of Norton Antivirus have managed to uncover serious vulnerabilities in wearables and life tracking apps which can be exploited by hackers to track our day to day lives. The team used a modified Raspberry Pi to show how easy and inexpensive it is to capture the data being transmitted by wearables and other life logging devices to our smartphones. Wearables such as smartwatches and fitness trackers capture personal data and communicate with smartphone using Bluetooth Low Energy. The team took a regular Raspberry Pi microcomputer fitted it with accessories like battery pack, SD card and Bluetooth 4.0 adapter and with some custom scripting and the microcomputer’s open source software built the Blueberry Pi. They took the Blueberry Pi to public locations and sporting events in Ireland and Switzerland and placed them at strategic locations to capture data from wearables. Most importantly they never programmed the Blueberry Pi to forcibly connect with any wearables instead it was programmed to pick up nearby signals. During this experiment they found that all the devices they encountered could easily be tracked using the unique hardware address they transmit. Depending on configuration of some devices it was possible to extract details such as serial number and other characteristics of the device from a short distance.
Image Courtesy: Symantec
So the question now is why Symantec concerned about this? According to their blog post, burglars and stalkers can use this information to check your whereabouts. They think that hardware manufacturers have not given much thought to privacy implications of their products as it was very easy to monitor those using rudimentary skills and off-the-shelf products. The second part of their experiment involved life logging apps. As you are aware there are a lot of apps in the market that can help you keep a track of what you are doing and where you have been. These apps require you to sign up for an account and sync your activities to the cloud for record keeping. The team at Symantec were baffled to discover than nearly 20% of these apps transmitted user credentials in plain text. Without encryption it is very easy to intercept important data that is transmitted over internet. Couple this with people’s habit of using same passwords everywhere and you have got a blunder.
Image Courtesy: Symantec
Other things they uncovered in their experiment were unintentional data leakage due to multiple domain contact by apps, lack of privacy policies and incorrect user session handling. So to prevent a privacy nightmare the company has requested people to follow some do’s and don’ts. Some which are pretty basic as using strong passwords, switching off location tracking and Bluetooth when not needed, careful social sharing and avoiding suspicious apps which require way too much information from you. Advanced users should use device based security solution and if possible switch to a full device encryption.
To know more about their research you can head over to the Symantec blog and since it is a weekend we recommend you spend some extra time pursing through the whitepaper [PDF File].