Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Virus Bulletin 2014: Leaking data of the quantified self

Quantify yourself much?  Candid Wüest of Symantec gave a fascinating presentation on the lax security in various wearable devices at the 2014 Virus Bulletin conference in Seattle.  The so-called “quantifiable self” is a trend in gadgetry that most people will be aware of, if not necessarily by name.  Probably the most famous example is the Fitbit, a wrist band that allows users to measure their progress in achieving fitness goals.  Others include sleep measuring devices, heart rate monitors, even devices that record the process of trying to have a baby!

Due to their small form factor, these kinds of devices are generally not powerful enough to connect to the web over WI-FI or mobile phone networks, so they piggy-back on the user’s mobile phone to do this for them.  This is achieved via Bluetooth low energy (BTLE), a newer form of Bluetooth designed with low power consumption and enhanced security in mind.  However, Candid showed that it is still possible to intercept communications sent over this medium, and demonstrated a proof-of-concept whereby he was able to track users at Virus Bulletin using a custom Raspberry Pi device.  Using this technique, inference of a user’s identity is just a matter of basic detective work.  Indeed, while performing the same test at a running event in Ireland, Candid noted that some users had entered their own name in their devices ID field – eliminating even that effort.  It is also relatively trivial to perform real-time triangulation of a user’s location of a user with three such devices.

If that is not bad enough, Candid showed that many of the mobile application developers supporting these devices gave very little thought (or none at all) to security.  In many cases, user credentials were transmitted in plain text.  Even in cases where credentials were hashed, other details such as birth date, geo-location, time stamps were not.  Furthermore, most applications do not even present a privacy policy to the user.

The mobile applications themselves generally upload user data to various cloud-hosted sites.  In one case, an application was uploading to 14 separate locations!  And while companies claim they are very careful with your data, the fact is this data is being aggregated, as evidenced by recently published data showing the sleep trends for four California towns during the recent earthquake.

This is particularly alarming when we take into consideration the potential effects of data leakage.  In one great example given, an application that records the begin and end times for a couple attempting to conceive are uploaded to the user’s account in the cloud.  This kind of private data could be very embarrassing were it leaked.

Of course, the kinds of data exposed by these applications would be a boon for any spammer.  A user with say, diabetes, would more likely to be fooled by a personalized phishing email offering them cheap insulin!  Alternatively, where some services offer monetary incentives to attend the gym, a wily user could sign up, inject their trips to the gym from the comfort of their couch, and let the money roll in – it is not just the end users that have the potential to be scammed!

Early adopters: be very careful who you entrust the intimate details of your life to.


Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2019 Cloudmark, Inc.