Developers of life-tracking devices are failing to build adequate security protections into their designs and potentially leaking private location and health data as a result, a Symantec study of the emerging 'quantified self' market has revealed.
The Symantec project saw researchers use Raspberry Pi mini computers to build a number of WiFi and Bluetooth Low Energy scanning devices, which were brought into public areas and used to determine how much private information could be gleaned from passively polling devices in the area.
All of the wearable devices studied, the researchers found, were vulnerable to location tracking: when multiple scanners were set up along the course of a European road race, for example, researchers were able to use devices' unique MAC addresses to trace the movement of many athletes and determine each runner's average time. Similarly responsive trackers were found during scans of passersby in the CBDs of Dublin, Ireland and Zurich, Switzerland.
Vendors such as Apple have already recognised the dangers of tracking, disabling MAC address broadcasting in its upcoming iOS 8 operating system. “This shows that major vendors have recognized that network address tracking and its privacy implications are a real threat to users,” the Symantec report, entitled How Safe Is Your Quantified Self?, notes.
Yet the researchers also found that many of the devices were insecurely linked with their companion smartphones or tablets, transmitting passwords in cleartext and failing to secure data before it was uploaded to supporting cloud services.
“This is pretty concerning when we know many users are using the same username and password across all the services they access online,” Symantec technology strategist Mark Shaw told CSO Australia.
“It's really not acceptable in this day and age that application developers should be allowing this sort of thing. It's quite extraordinary.”
While such oversight is not uncommon in fast-growing markets like that for life trackers – which Consumer Electronics Association senior research analyst Kevin Tillmann estimated as being worth $US1.15 billion this year alone – it still reflects poor “security hygiene”, Shaw said.
“It would seem that security considerations are being given a lower priority,” he explained. “If you're accessing one of these applications, in many cases it is quite simple to extract this information. From a security perspective, these devices have a fair way to go.”
Exposure to such security issues is likely to increase in line with the market's growth, which is likely to accelerate once individual-tracking devices like Apple's iBeacon come into widespread use.
“That's pretty concerning given that there are, in most jurisdictions, regulations around privacy requirements and how organisations are gathering, storing and transmitting personal data. This is an area of concern.”
While much of the data from the devices is not of the type traditionally identified as personally identifiable information (PII) in legislation such as Australia's revamped Privacy Act, collecting it over time offers interesting insights for those determined to exploit it.
“As you go about correlating this data,” Shaw continued, “it paints a very accurate picture of who the user is and where they go on a regular basis. There are a whole bunch of things in there that we should be taking care of more effectively. We're potentially seeing just the tip of the iceberg here.”