A new report released by Internet security firm Symantec highlights the security risks of personal and wearable tracking devices such as the FitBit, and even self-tracking apps such as Runkeeper, Runtastic, and MapMyRun. In our efforts to track and quantify our every move (what Symantec calls the “Quantified Self” movement), we are generating an unbelievable amount of data, including location data, that can be used to profile us, track our location, and even to steal our identity.
In the report, released earlier this week as a white paper entitled How Safe is Your Quantified Self?”, Symantec researchers Mario Ballano Barcena, Candid Wueest, and Hon Lau explain that “Symantec has found security risks in a large number of self-tracking devices and applications. One of the most significant findings was that all of the wearable activity-tracking devices examined, including those from leading brands, are vulnerable to location tracking.”
Moreover, say Barcena, et al, they also found serious concerns with how personal data is stored and managed by such devices, such as your passwords being transmitted in plain text.
According to the report, there are three primary potential points of failure in terms of security for your personal data: your data on the device (or in the app) itself, the transmission vector when the data is being transmitted (such as from your device or app to the server), and your data’s storage on the server (i.e. in the cloud).
The devices themselves can be subject to malware, and of course can be stolen.
Of risks during the transmission phase, the researchers explain that “Data collected by self-tracking apps and devices often need to be sent to the cloud either in real time or in batches, such as at the end of an activity session. Transmission may occur directly from the device to the cloud or from the device, to a computer, and then to the cloud,” adding that “During transmission, data is at risk from an array of possible threats. These include traffic sniffing…and man-in-the-middle and redirection attacks, which could cause data to be sent to the wrong server.”
And of course once your personal data is in the cloud, on the service’s servers, all bets are off. One can hardly pick up a paper (does anybody do that any more?) without reading about the newest, biggest hacking scandel in which the user data of all of one company or another’s user accounts was hacked.
In addition to profiling us, tracking us, and stealing our identity, says Symantec, this data, when in the wrong hands, can be used to stalk us, embarrass us, and even subject us to extortion (“we know where you were when you told your wife that you were working out at the gym”).
Think this is an unlikely event?
20% of all apps transmit passwords in the clear, says Symantec, and “All of the wearable activity tracking devices examined, including those from leading brands, are vulnerable to location tracking.”
The report closes with the following suggestions to users of tracking devices:
• Use a screen lock or password to prevent unauthorized access to your device
• Do not reuse the same user name and password between different sites
• Use strong passwords
• Turn off Bluetooth when not required
• Be wary of sites and services asking for unnecessary or excessive information
• Be careful when using social sharing features
• Avoid sharing location details on social media
• Install app and OS updates when available
• Use a device based security solution
• Use full device encryption if available
…or, you could just ditch the tracking devices, and enjoy your activities for their own inherent value.
|Get notified of new Internet Patrol articles!