Mumbai: Each day, millions of people worldwide are actively recording every aspect of their lives, thoughts, experiences, and achievements in an activity known as self-tracking (aka quantified self or life logging). People who engage in self-tracking do so for various reasons. Given the amount of personal data being generated, transmitted, and stored at various locations, privacy and security are important considerations for users of these devices and applications.
Symantec, after a study, has found security risks in a large number of self-tracking devices and applications. One of the most significant findings was that all of the wearable activity-tracking devices examined, including those from leading brands, are vulnerable to location tracking.
Symantec’s researchers built a number of scanning devices using Raspberry Pi minicomputers and, by taking them out to athletic events and busy public spaces, to find that tracking of individuals was possible. Symantec also found vulnerabilities in how personal data is stored and managed, such as passwords being transmitted in clear text and poor session management.
How do self-tracking systems work?
Many people who engage in self-tracking do it with gadgets such as electronic wristbands, smart watches, pendants, and even smart clothing. These gadgets typically contain a number of sensors, a processor, memory, and a communication interface. These gadgets enable the user to effortlessly collect, store, and transmit the data to another computer for processing and analysis.
Despite the growing use of specifically designed gadgets, smartphones are perhaps the most common way for people to perform self-tracking. A modern smartphone is packed with a wide range of different sensors that can be used by many different self-tracking applications. Many people already carry smartphones with them, and the proliferation of free self-tracking apps makes it easier than ever for users to get into self-tracking.
To start self-tracking, users simply choose from a wide range of apps in the various app markets, install one of them, sign up for an account, and start tracking. At the end of every session, the user can review and sync the collected data to a cloud-based server for storage.
So just how safe is your quantified self?
When we hand over our personal and quantified self data to these service providers, are we misplacing our trust in them? How do we know that they are taking the steps necessary to protect our information and our privacy? To help get a handle on this, Symantec looked at what’s currently going on in the world of self-tracking. They examined what vendors are doing to protect users of their services by taking a closer look at some of the most popular quantified self-devices and apps on the market.
Location tracking of wearable devices
All wearable activity-tracking devices can be tracked or located through wireless protocol transmissions.
There are many wearable sports activity-tracking devices currently available in the market. These devices generally contain sensors to detect motion but most are not designed for location tracking. Data collected by these devices generally has to be synced to another device or computer so that it can be viewed. For convenience, many manufacturers use Bluetooth Low Energy to allow the device to wirelessly sync data to a smartphone or computer. However, this convenience comes with a price; the device may be giving away information that can allow it to be tracked from one location to another.
To test how these devices could be tracked, Symantec built some portable Bluetooth scanning devices. Symantec found that all the devices encountered could be easily tracked using the unique hardware address that they transmit. Some devices (depending on configuration) may allow for remote querying, through which information such as the serial number or a combination of characteristics of the device can be discovered by a third party from a short distance away without making any physical contact with the device.
From the results of this research, it appears that manufacturers of these devices (including market leaders) have not seriously considered or addressed the privacy implications of wearing their products. As a result, the devices, and by association the wearers, can be easily tracked by anybody with some basic skills and a few cheap tools.
Why worry about this?
It’s possible that burglars or stalkers could use location-tracking information for malicious intent. Burglars have been known to use location-tracking systems to tell when a potential victim is not at home.
Transmission of tracking and personal data in clear text
20 percent of apps transmitted user credentials in clear text:
Many of the quantified self apps and services have a cloud server-based component where users are required to upload and store data collected from their apps and services for safe keeping and analysis. Aside from just storing data about activities, some services also collect a wide range of other personal information such as date of birth, relationship status, addresses, photos, and other personal statistics. To prevent unauthorized access to the users’ data, these services all require user accounts which are protected by user name and password credentials.
The problem observed is that an unacceptably large proportion of these apps and services do not handle sensitive user data, such as user names (e.g. email address) and passwords, securely. Many of them transmit user-generated data, including login credentials, through an unsecure medium such as the Internet without any attempt to protect it (e.g. by encrypting it). This means that the data could be easily intercepted and read by an attacker. The lack of basic security at this level is a serious omission and raises serious questions about how these services handle information stored on their servers.
Why worry about this?
The transmission of credentials in clear text is especially troubling given that large numbers of people have a propensity to reuse login credentials at multiple sites. Due to reuse, login details stolen from one service could potentially be used to gain access to more sensitive services such as email accounts or online shopping accounts.
Lack of privacy policies
52 percent of apps examined did not have privacy policies.
Self-tracking apps and services are by their nature designed to collect and analyze personal information. Therefore it is reasonable to expect, and indeed is legally required in many jurisdictions (e.g. Online Privacy Protection Act 2003), of companies that collect and manage PII to make available a privacy policy that is prominently displayed and easily accessible. Privacy policies should preferably be understandable, even by those not in the legal profession, and shown to users before they sign up for a service so that they can make a considered choice before using it.
Despite the importance of having a privacy policy, the majority of apps examined did not have one.
Why worry about this?
The lack of a privacy policy may be a possible indicator of how the issue of security is treated in the development and provision of online self-tracking services. Users would be well advised to take this into consideration before signing up for any services.
What can you do about this?
At first glance, self-tracking and privacy may appear to be strange bedfellows. How can recording lots of data about yourself and maintaining privacy even be possible? Considering the security and privacy issues that we have seen, the obvious conclusion is, if you value your privacy, the best thing is to not do any self-tracking at all!
Despite potential risks to security and privacy, the quantified self movement continues to experience rapid growth and is expected to keep growing for some years to come. To ensure that users can continue to enjoy this activity in safety, we recommend that they take some basic security precautions to help guard against the risk of exposing their personal and self-tracking information.
- Use a screen lock or password to prevent unauthorized access to your device
- Do not reuse the same user name and password between different sites
- Use strong passwords
- Turn off Bluetooth when not required
- Be wary of sites and services asking for unnecessary or excessive information
- Be careful when using social sharing features
- Avoid sharing location details on social media
- Avoid apps and services that do not prominently display a privacy policy
- Read and understand the privacy policy of app and services
- Install app and operating system updates when available
- Use a device-based security solution if available
- Use full device encryption if available
Inputs: Symantec Blog (Image: Symantec)
