Mid last week the storied Internet security gurus at Symantec released a detailed whitepaper report, damning several popular wearables as some of the least secure pieces of the mobile gadget armada available to customers today.
As it turns out, many popular fitness bands and wearables such as those produced by Nike and Samsung to be used in conjunction with fitness applications on a user’s phone rely on openly transmitted MAC addresses to link up with. This makes them easy targets for any custom devices to clone when the relays are set to scan the same channels for any linked phones in close enough proximity to its radio signal.
“All wearable activity-tracking devices can be tracked or located through wireless protocol transmissions. There are many wearable sports activity-tracking devices currently available on the market. These devices generally contain sensors to detect motion but most are not designed for location tracking.”
One of these custom jobs is a homemade device which Symantec dubs “Blueberry Pi”, which is nothing more than an Raspberry Pi with Bluetooth 4.0, a battery pack, a 4GB SD card, open source software and a little custom scripting, put together for $75.
These were tested in public areas in Ireland and Switzerland, including at a public footrace where hundreds of phones and tablets were immediately made available for the taking once they were able to broadcast their illicit signal and pick up the details of everything within 500 yards that happened to chirp back.
“Data collected by these devices generally has to be synced to another device or computer so that it can be viewed. For convenience, many manufacturers use Bluetooth Low Energy to allow the device to wirelessly sync data to a smartphone or computer. However, this convenience comes with a price; the device may be giving away information that can allow it to be tracked from one location to another.”
Things were even worse on the software side, with over 20 percent of the apps surveyed not even bothering to encrypt data and credentials sent back to central servers.
Once loaded into the cloud, many of the companies who offer to track everything from a user’s running distance to their average heart rate during the race will then turn that data into marketable information to sell to advertisers.
Without any identity protection to speak of, all it would take is a simple “wget” command and an attacker could learn almost everything they need to know about their targets habits and whereabouts in an instant.
The one drawback for hackers is they must physically be in range of the fitness band in order to gain access to the phones they’ve been installed on, though many in the underground actual prefer this method of attack, as it renders them invisible to outside networks which could blow their cover if protected by secure routers or real time address-verification services.
To prevent your vitals and movements from being transmitted to nosy neighbors who live along your jogging route, be sure to link up your Bluetooth wearables in stealth mode (if available), and never allow any devices you don’t recognize to pair with your iOS/Android phone unless you explicitly recognize them beforehand.