Life-tracking devices fail privacy, security tests: Symantec

Developers of life-tracking devices are failing to build adequate security protections into their designs and potentially leaking private location and health data as a result, a Symantec study of the emerging 'quantified self' market has revealed.

The Symantec project saw researchers use Raspberry Pi mini computers to build a number of WiFi and Bluetooth Low Energy scanning devices, which were brought into public areas and used to determine how much private information could be gleaned from passively polling devices in the area.

All of the wearable devices studied, the researchers found, were vulnerable to location tracking: when multiple scanners were set up along the course of a European road race, for example, researchers were able to use devices' unique MAC addresses to trace the movement of many athletes and determine each runner's average time. Similarly responsive trackers were found during scans of passersby in the CBDs of Dublin, Ireland and Zurich, Switzerland.

Vendors such as Apple have already recognised the dangers of tracking, disabling MAC address broadcasting in its upcoming iOS 8 operating system. “This shows that major vendors have recognized that network address tracking and its privacy implications are a real threat to users,” the Symantec report, entitled How Safe Is Your Quantified Self?, notes.

Yet the researchers also found that many of the devices were insecurely linked with their companion smartphones or tablets, transmitting passwords in cleartext and failing to secure data before it was uploaded to supporting cloud services.

“This is pretty concerning when we know many users are using the same username and password across all the services they access online,” Symantec technology strategist Mark Shaw told CSO Australia.

“It's really not acceptable in this day and age that application developers should be allowing this sort of thing. It's quite extraordinary.”

While such oversight is not uncommon in fast-growing markets like that for life trackers – which Consumer Electronics Association senior research analyst Kevin Tillmann estimated as being worth $US1.15 billion this year alone – it still reflects poor “security hygiene”, Shaw said.

“It would seem that security considerations are being given a lower priority,” he explained. “If you're accessing one of these applications, in many cases it is quite simple to extract this information. From a security perspective, these devices have a fair way to go.”

Exposure to such security issues is likely to increase in line with the market's growth, which is likely to accelerate once individual-tracking devices like Apple's iBeacon come into widespread use.

Yet the actual exchange of data was only part of the problem: only 48 percent of the vendors offered “any sort of privacy policy that the user could read”, Shaw said.

“That's pretty concerning given that there are, in most jurisdictions, regulations around privacy requirements and how organisations are gathering, storing and transmitting personal data. This is an area of concern.”

While much of the data from the devices is not of the type traditionally identified as personally identifiable information (PII) in legislation such as Australia's revamped Privacy Act, collecting it over time offers interesting insights for those determined to exploit it.

“As you go about correlating this data,” Shaw continued, “it paints a very accurate picture of who the user is and where they go on a regular basis. There are a whole bunch of things in there that we should be taking care of more effectively. We're potentially seeing just the tip of the iceberg here.”

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecprivacy

More about Consumer ElectronicsConsumer Electronics AssociationCSOExposureSwitzerlandSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place