Symantec: Identify and track the activity through w Gadgets
Lovers of electronic life recordings create a torch with their personal information through apps and devices. These data are safe from prying eyes;
Every day, millions of people around the world record every aspect of their lives, their thoughts, their experiences and the achievements of their activities (also known as self-tracking or life logging). People who do self-tracking do so for a variety of reasons. Given the amount of personal data that is created, transmitted and stored at various points, privacy and security are important issues for users of these devices and applications. Symantec has discovered security risks in a significant number of self-tracking devices and applications. One of the major findings was that all of these wearable activity devices tested, including some of the top brands, are vulnerable to location tracking.
The researchers created a series of scanning devices using Raspberry Pi minicomputers and by placing them in sporting events and crowded public places, they found that tracking people was possible and feasible.
Symantec has found vulnerabilities in how personal data is stored and managed, such as unencrypted code transfer and inadequate session management when connecting applications to servers.
How do self-tracking systems work?
Many people who practice self-tracking apply it with gadgets like electronic wristbands, smart watches, pendants, and even "smart" clothes. These gadgets typically contain a range of sensors, a processor, memory and a communication interface. These gadgets allow the user to collect, store, and transmit their data effortlessly to another computer for processing and analysis.
Image 1. What includes a standard recording device
Despite the growing use of specially designed gadgets, smartphones are probably the most common tools people use to carry out self-tracking. A modern smartphone is equipped with a wide range of different sensors that can be used for a range of self-tracking applications. Most people always have their mobile phones and the plethora of free self-tracking applications make it easier for users to do self-tracking.
Image 2. Modern smartphones feature a series of sensors
To start self-tracking, users simply choose from the wide range of apps available on app markets, install one of them, subscribe to it, and start tracking. At the end of each session, the user can browse and sync the data collected on a cloud-based server for storage.
How secure is the electronic recording of yourself?
When our personal data concerning electronically recorded information about ourselves is at the disposal of the providers, does this automatically mean that we trust them? How do we know that they take all the necessary measures to protect our data and our privacy? In order to see what is happening, we looked at what companies are doing to protect their service users through popular devices and market applications.
Identify wearable devices
All wearable Activity tracking devices can be detected via wireless broadcast protocols.
There are many wearable sports tracking devices on the market. These devices generally contain sensors to detect traffic, but most are not designed to locate a location. The data collected by these devices must be synchronized with another device or computer so that it can be processed. For convenience many manufacturers use it Low Power Bluetooth to allow the device to wirelessly synchronize data with a smartphone or computer. However, this convenience has a price; the device can provide information to allow location from one location to another.
To test how these devices can be detected, we created a portable Bluetooth scanning device using Raspberry Pi minicomputers and other peripherals such as a Bluetooth 4.0 adapter, a battery pack and an SD card. These were combined with open source software and standard scripting. Each device cost about US $ 75 and could easily be generated by anyone with basic IT knowledge.
The results of the survey show that the manufacturers of these devices (including the leading ones on the market) have not seriously considered how they will address the privacy issues of these products. As a conclusion, the devices, and those who wear them, can easily be identified by everyone with basic IT skills and with the help of cheap tools.
Why should we worry about this?
It is likely that thieves or somebody watching us use the location information for malicious purposes. There are examples that thieves used positioning systems to learn when the candidate victim is not at home!
Transmitting personal data and tracking information in text format
20% of applications are transmitting credentials user without being encrypted.
Many of these apps and services have a cloud server that users must upload and store the data their apps collect for safekeeping and analysis. Beyond simply storing activity data, some services collect additional personal information such as date birth, address, φωτογραφίες και άλλα στατιστικά. Για την αποφυγή μη εξουσιοδοτημένης πρόσβασης στα δεδομένα του χρήστη, αυτές οι υπηρεσίες ζητούν δημιουργία λογαριασμού από τους χρήστες που θα προστατεύονται με user name και password.
The problem we noticed was that an unacceptably large percentage of these applications do not handle sensitive data, such as user names (e.g., email addresses) and passwords, safely. Many of them transmit user-generated data like login credentials through an unsafe medium such as the internet without any attempt to protect it (eg through encryption). This means that the data can easily be intercepted and read by the attackers. Lack of basic security is a major omission and raises questions about how these services handle the stored information they have on their servers.
Why should we worry about this?
The transmission of credentials in the form of acrylic text is particularly problematic as it is The vast majority of people tend to reuse login credentials on many websites. Thanks to reuse, login details stolen from a service can probably be used to gain access to sensitive services such as email accounts or online shopping accounts.
Lack of privacy policies
52% of the applications tested do not have privacy policies
Self-tracking applications by nature have been developed to collect and analyze personal information. It is therefore reasonable to expect and indeed required by law in many countries (such as the Online Privacy Protection Act 2003), companies that collect and manage personal data have a privacy policy in a prominent place and easily accessible. Privacy policies should be easy to understand and appear to users before they sign up for the service, so that they have a choice before deciding to use it. Despite the importance of having a privacy policy, most applications had none!
Why should we worry about this?
The lack of privacy policy is a possible indication of how self-tracking service providers and applications handle the issue of security. Users must be well informed and take this into account before registering for these services.
Unintentional data leakage
The maximum number of unique domains that came in contact with only one application was 14 and the average was 5.
On average we found that applications come in contact with 5 different Internet domains. In the worst case, we found an application that came in contact with 14 different domains in the short period of its operation. While it is understandable that applications may need to communicate with a small number of domains so that they can transmit the collected data and access certain APIs, such as ads, it may come as a surprise that a significant number of applications come into contact with 10 or more different domains for different purposes. Many of the applications refer to analytics services, while others use these analytics to examine the performance of the application for any issues of its failure.
Despite the good intentions of application developers, information about user activities can be revealed in the most unlikely way, thanks to how the application uses third party services. There are a number of illustrative examples where the application can accidentally leak your data.
Why should we worry about this?
Many of us like to share details of our lives, including friends and family, there are some things that we do not have to share. When we choose not to share something, we definitely do not want service providers to do this for us.
Other security weaknesses
In each sharing service, user accounts are used to separate user status and data from others. Sessions are used to manage and process the data flow so that users can only access their own data and perform tasks on the data they have access to. Inadequate session management can be exploited by cybercriminals who can penetrate sessions and "represent" other users. This can result in information leaks, vandalism, and other problems.
Why should we worry about this?
Poorly designed systems can expose serious vulnerabilities and exploit the attackers. This can lead to a complete violation of user data by the service provider. Depending on the degree of sensitivity of the data, the impact on users may range from insignificant to very serious.
What can you do about this?
At first glance, online recording and privacy seem to be inconsistent. How can you capture a wealth of data about yourself and preserve your privacy? Thinking about the security and privacy issues that have arisen, the obvious conclusion is that if you are looking for your privacy, it is best not to do any self-tracking !!
Despite the potential security and privacy risks, the movement that supports our electronic recording continues to have a significant increase and is expected to continue its growth for a few more years. To ensure that users continue to enjoy this activity safely, Symantec suggests taking some basic steps to protect themselves against the risk of exposing their personal self-tracking information.
- Use the screen lock or one code to prevent unauthorized access to your device
- Do not use the same user name and password on different webpages
- Use 'strong' passwords
- Turn off Bluetooth when you do not need it
- Be careful when websites and services ask you for unnecessary or excessive information
- Be cautious when using the sharing feature of this information in social media
- Avoid sharing the details of your site with social media
- Avoid apps and services that do not disclose their privacy policy
- Read and understand the privacy policy of your apps and services
- Install updates to applications and operating systems when available
- Use a security solution for your device
- Use full encryption of the device if available
More information
Those who need more information about this topic can read the latest whitepaper titled: How secure is the electronic recording of yourself?