Tracking and monitoring your own sports activity or medical conditions could leave you vulnerable to a hacking attack that gives away your current location, including when you away from home
Are you into self-tracking, life-logging, or quantified self as it's sometimes called? If so, it becomes easy to track and hack lots of your personal data.
So whether it’s tracking/monitoring sports activity, medical conditions, or for some people, their sex life, wearable electronics accumulating that data are vulnerable to attack. Add to that the millions of people who now life-log, creating a vast quantity of data being generated and stored, it becomes imperative that wearable electronics feature much higher levels of data security than currently exist.
Tracked and Hacked
Internet security specialists Symantec recently brought this invasive loophole to light. Using Raspberry Pi computers to create scanning devices, the company’s designers discovered that tracking of individuals was possible. The company also found weaknesses in how personal data is stored. Symantec clearly stated that at no time during these exercises did it actually hack data—but that’s not to say it isn’t possible.
Lots of different gizmos are used for self-tracking, from smart wristbands to mobile phones. All of them use sensors and most communicate via Bluetooth to link and sync data to laptops, allowing data to be viewed, stored, or forwarded elsewhere.
The Bluetooth scanning devices devised by Symantec, using Raspberry Pi minicomputers that included a Bluetooth 4.0 adaptor, a battery pack, and a memory card, were combined with open-source software. The scanners were also passively enabled.
All of the life-logging devices found by the scanner were easily tracked using the hardware address transmitted by each one. An inherent danger with some life-logging products is that they will allow remote access, which can lead to information being obtained from a short distance away without making any physical contact with the device.
Results obtained from Symantec’s experiment may indicate that manufacturers of these devices haven’t seriously considered or addressed the privacy implications of wearing their products. Such information security vulnerability, of course, is a major concern. For example, it criminals such as burglars could use the tracking information to ensure that users are not their homes. On this front, it appears that greater use of data encryption should be an integral design element of life-logging devices.
Symantec also revealed that in any shared service, user accounts will segregate one user’s status and data from others. “Sessions” manage the flow of data and processing so that users can only access their own data and perform tasks only on the data that they’re permitted to access. Cybercriminals can exploit weak session management to hijack sessions by masquerading as other users. This can lead to information leaks and data vandalism.
Furthermore, research identified sites that didn’t correctly handle user sessions. In one example, it was possible to browse personal data belonging to other users of the site. In another instance, an attacker uploaded SQL statements, such as commands to create tables in the database, to the server for execution.
What Can You Do?
Self-tracking and privacy present a dichotomy when considering absolute data security. In fact, when it comes to guaranteeing absolute data safety, the best advice is avoid life-logging altogether. That's not going to happen, though, given its escalating popularity.
So Symantec came up with some safeguard suggestions for those habitual life-trackers:
• Use a screen lock or strong password to prevent unauthorized access.
• Do not reuse the same user name and password between different sites.
• Always turn off Bluetooth when not required.
• Be wary of being asked for unnecessary or excessive information.
• Avoid sharing location details on social media.
• Install app and operating system updates when available.
• Use a device-based security solution if available.
• Use full device encryption if available