Symantec added tracking gadgets with Raspberry Pi.
Are you whiling the time away until you get your first smartwatch or preparing to run to the local store to buy the latest fitness tracker?
If so, you may wish to know that snoops can track such devices and at a fraction of the prices you will be paying for the latest in wearable tech.
People who use wearable gadgets to monitor their health or activity can be tracked with only $70 (£40) of hardware, research suggests.
The security firm Symantec took a Raspberry Pi and added components including a Bluetooth 4.0 adapter, SD card and battery pack. All-in, the home-made tracker cost around $75 which is about £44/56 Euros.
The company took a number of such devices to busy public locations in both Switzerland and Ireland, as well as a major sporting event, and ran them in passive mode. By simply scanning the airwaves for signals broadcast by wearables, the Raspberry Pi were able to successfully track each and every one of them via their serial numbers or a combination of other factors, prompting the researchers to say:
“In our testing, we found that all the devices we encountered can be easily tracked using the unique hardware address that they transmit. Some devices (depending on configuration) may allow for remote querying, through which 
information such as the serial number or a combination of characteristics of the device can be discovered by a third party from a short distance away without making any physical contact with the device.”
The researchers also delved further into wearable tech and the associated apps, looking for other potential security and privacy concerns, and it found several.
Symantec discovered that 52% of the self-tracking apps it examined did not have a privacy policy which, it says, may suggest that the developers do not take security and privacy as seriously as they perhaps could.
Researchers also discovered a large amount of unintentional data leakage with the average app contacting 5 domains (one even contacted 14 domains) in a short period of time. Whilst there may be legitimate reasons for a fitness or other tracking app to contact a number of domains for the transmission of data or to serve ads, for instance, Symantec said that the number of domains being contacted increased the risks of data leakage through human error, social engineering or careless or malicious handling of data.
The researchers also discovered other concerns, such as weak session management, which could lead to session hijacking, which could in turn lead to further problems.
Symantec’s blog post ends with the company pointing out that self-tracking apps and devices are not synonymous with privacy and suggesting that those who value their privacy will not get involved in self-tracking in the first place.
However, knowing that many users will continue to use fitness trackers, smartwatches, etc., regardless, the company offers up the following tips which I would describe as being little more than damage limitation rather than a security solution:
*Use a screen lock or password to prevent unauthorized access to your device
*Do not reuse the same user name and password between different sites
* Use strong passwords
*Turn off Bluetooth when not required
*Be wary of sites and services asking for unnecessary or excessive information
* Be careful when using social sharing features
*Avoid sharing location details on social media
*Avoid apps and services that do not prominently display a privacy policy
*Read and understand the privacy policy of app and services
*Install app and operating system updates when available
*Use a device-based security solution if available
*Use full device encryption if available
In addition, a investigate group looked during a apps compared with some activity monitors or that use a smartphone to accumulate data. About 20% of a apps Symantec looked during did zero to blear information being sent opposite a net even yet it contained critical ID information, such as name, passwords and birthdate.
“The miss of simple confidence during this turn is a critical repudiation and raises critical questions about how these services hoop information stored on their servers,” pronounced a Symantec team.
Further review suggested that many apps did not do adequate to secure a thoroughfare of information from users behind to executive servers. In some cases it was probable to manipulate information to review information about other users or pretence databases into executing commands sent by outmost agents.
“These are critical confidence lapses that could lead to a vital crack of a user database,” pronounced a team.
Wearable Tracking Gadgets with Raspberry Pi
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন