Monday, 1 September 2014

Are you wearing a security risk?

Quantified Self

The "quantified self" is incorporating technology to capture data on various aspects of a person's life.  This could be food and water intake, blood pressure, glucose levels, steps, movement, sleep patterns and such like.  As these wearable monitoring solutions become increasing popular, there needs to be an understanding as to how some of the more mainstream technology works.

Data Connectivity

Many of these wearable devices will collect data, and then synchronise to a computer or smart device using Bluetooth LE (low energy), sometimes known as Bluetooth 4.0.  Data can be manually entered onto the computer or smart device.  This data will then transferred to a cloud location giving a dashboard with history, via an internet connection whether that be cellular, wireless or cabled.

FitBit & Security?

I recently purchased a FitBit Flex, which is a wearable band which monitors my steps, movement and sleep patterns.  So I wanted to look at this example and if there were any security risks I should be aware of.

Personal Information

First of all I needed to create an account on a web portal, which required either a login using Google or Facebook credentials or create a  login with an email address.  The portal uses SSL certificate, although there is no stipulation for a strong password.

Personal information can be stored, but it's not mandatory.  There is the ability to store your name, postal address, gender, date of birth, country, height and weight.  The dashboard can create API links to Facebook, Twitter and WordPress.

The dashboard shows the number of steps taken, distance covered, and then give a calculation of calories burnt.

Bluetooth Wearable

The wearable is charged up and ready to go what next?  It will start to collect data and that data will need to be transferred to a smart device or computer.  The wearable will use Bluetooth LE, as this will have a minimal battery drain on the smart device.  The wearable synchronises with the computer or smart device using the software or app installed.  Although the wearable device is visible as a Bluetooth device, I was unable to connect to it.  

I'm not suggesting that it's not possible, as Bluetooth hacking tools are quite inexpensive, but it certainly wasn't possible with a simple connection.

Dashboard Access

As mentioned before, the dashboard runs as a secure website using an SSL certificate to protect it.  The credentials to log into that dashboard are either social media or an email address with password.  No complexity was required on the password, despite the personal information that could be stored.

If someone had access to my email or my social media accounts, then access to the dashboard would be relatively straightforward.  On my laptop with my profile, when I access the main website, it takes me straight into the dashboard.

Data Synchronisation

The data sent to the portal seems to be protected and not being transferred in clear text.  There may be some concerns with the connection method used to transfer this data, so the normal rules would apply.  If there is an open wireless connection, or a connection using WEP to protect it, the data can be gathered during the transfer.  Whether the data would be of any use is a different matter.

If web proxy solution is being used, which is able to decrypt the traffic to websites, then some information could be gathered by these systems, where the systems administrator will have access.

I'm not too familiar with cellular data transfer, so I am unable to comment on how secure this data transfer method would be.

Data Privacy?

Another concern is whether my data privacy is being respected.  Will FitBit sell my data to highest bidder?  Who will have access to my data?  How is it stored?  How is it protected?

Here is the privacy policy for UK users: https://www.fitbit.com/uk/privacy

Should I use my wearable?

As we have learnt from some very high profile breaches, no organisation or website is 100% secure.  Be aware of what data you are putting on internet, but I will carry on using my FitBit Flex in the mean time.

No comments:

Post a comment