Description: Each day, millions of people worldwide are recording every aspect of their lives in an activity known as self-tracking or quantified self, often using wearable devices. These people have various reasons for doing this, but are they thinking about the risk involved in this process? Given the amount of personal data that is generated, transmitted, and stored at various locations during self-tracking, we wanted to analyse how well this data is protected against attackers, since the quantified self involves more than just the personally identifiable information (PII) that we are used to.
With the upcoming HealthKit integration in Apple's iOS 8 and Google's Fit for Android, we expect to see another boost of wearable devices and health apps soon. Many welcome the idea of Apple and Google's fitness and health-tracking platforms, though it's unclear how quickly developers will adapt their applications to the new services. The platforms' central storage for personal fitness information could obviously be a very enticing target for attackers, who could develop malicious applications to try and steal this data.
In our recently completed research, we analysed the top health applications that are currently available for smartphones and found all sorts of worrying behaviour. Many apps are not following security best practice guidelines. For example, some apps submit passwords in clear text, transmit activity details over HTTP, allow for user enumeration, or store information insecurely. Other applications contact up to 14 different service providers, spreading personal information even further. To make matters worse, more than half of all of the apps did not have any privacy policy at all. These findings raise several questions: how much data is actually gathered? Who has access to this data? How securely is it stored?
We will also explain the different attack vectors and attack scenarios against wearable devices and their corresponding applications. We will provide concrete examples, such as how cybercriminals could misuse this information. For example, quantified-self devices could be a spammer's dream come true, as the devices allow the spammer to harvest complete user profiles with contact information and relevant contextual details.
Furthermore, we discovered that none of the analysed quantified-self sports bracelets implemented the full spectrum of available privacy functions. As a result, people using these activity trackers could be tracked without their knowledge by any unrelated third party. This raises concerning opportunities for stalkers or other attackers. We created a proof-of-concept Bluetooth low energy (BTLE) scanner based on a Raspberry Pi and performed tests in different European cities. We will discuss the recently completed scan results and show a demo of the device. When this tracking is combined with the leakage of personal identifiable information, the dream of the quantified self can quickly become a nightmare.
For More information please visit: - https://www.virusbtn.com/index
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.