Are you whiling the time away until you get your first smartwatch or preparing to run to the local store to buy the latest fitness tracker?
If so, you may wish to know that snoops can track such devices and at a fraction of the prices you will be paying for the latest in wearable tech.
New research from Symantec has shown that it is possible to track individuals, even in crowded places, via cheap and readily accessible hardware.
The security firm took a Raspberry Pi and added components including a Bluetooth 4.0 adapter, SD card and battery pack. All-in, the home-made tracker cost around $75 which is about £44/56 Euros.
The company took a number of such devices to busy public locations in both Switzerland and Ireland, as well as a major sporting event, and ran them in passive mode. By simply scanning the airwaves for signals broadcast by wearables, the RasPis were able to successfully track each and every one of them via their serial numbers or a combination of other factors, prompting the researchers to say:
“In our testing, we found that all the devices we encountered can be easily tracked using the unique hardware address that they transmit. Some devices (depending on configuration) may allow for remote querying, through which information such as the serial number or a combination of characteristics of the device can be discovered by a third party from a short distance away without making any physical contact with the device.”
The researchers also delved further into wearable tech and the associated apps, looking for other potential security and privacy concerns, and it found several.
Researchers also discovered a large amount of unintentional data leakage with the average app contacting 5 domains (one even contacted 14 domains) in a short period of time. Whilst there may be legitimate reasons for a fitness or other tracking app to contact a number of domains for the transmission of data or to serve ads, for instance, Symantec said that the number of domains being contacted increased the risks of data leakage through human error, social engineering or careless or malicious handling of data.
The researchers also discovered other concerns, such as weak session management, which could lead to session hijacking, which could in turn lead to further problems.
Symantec’s blog post ends with the company pointing out that self-tracking apps and devices are not synonymous with privacy and suggesting that those who value their privacy will not get involved in self-tracking in the first place (I agree).
However, knowing that many users will continue to use fitness trackers, smartwatches, etc., regardless, the company offers up the following tips which I would describe as being little more than damage limitation rather than a security solution:
- Use a screen lock or password to prevent unauthorized access to your device
- Do not reuse the same user name and password between different sites
- Use strong passwords
- Turn off Bluetooth when not required
- Be wary of sites and services asking for unnecessary or excessive information
- Be careful when using social sharing features
- Avoid sharing location details on social media
- Install app and operating system updates when available
- Use a device-based security solution if available
- Use full device encryption if available
If you would like more information on Symantec’s research a whitepaper can be found here.