Life Trackers Could “Open The Door” To Burglars When You’re Not Home


Tracking and monitoring your own sports activity or medical conditions could leave you vulnerable to a hacking attack that gives away your current location, including when you away from home

Are you into self-tracking, life-logging, or quantified self as it's sometimes called? If so, it becomes easy to track and hack lots of your personal data.

So whether it’s tracking/monitoring sports activity, medical conditions, or for some people, their sex life, wearable electronics accumulating that data are vulnerable to attack. Add to that the millions of people who now life-log, creating a vast quantity of data being generated and stored, it becomes imperative that wearable electronics feature much higher levels of data security than currently exist.

Tracked and Hacked

Internet security specialists Symantec recently brought this invasive loophole to light. Using Raspberry Pi computers to create scanning devices, the company’s designers discovered that tracking of individuals was possible. The company also found weaknesses in how personal data is stored. Symantec clearly stated that at no time during these exercises did it actually hack data—but that’s not to say it isn’t possible.

Lots of different gizmos are used for self-tracking, from smart wristbands to mobile phones. All of them use sensors and most communicate via Bluetooth to link and sync data to laptops, allowing data to be viewed, stored, or forwarded elsewhere.

The Bluetooth scanning devices devised by Symantec, using Raspberry Pi minicomputers that included a Bluetooth 4.0 adaptor, a battery pack, and a memory card, were combined with open-source software. The scanners were also passively enabled.

All of the life-logging devices found by the scanner were easily tracked using the hardware address transmitted by each one. An inherent danger with some life-logging products is that they will allow remote access, which can lead to information being obtained from a short distance away without making any physical contact with the device.

Results obtained from Symantec’s experiment may indicate that manufacturers of these devices haven’t seriously considered or addressed the privacy implications of wearing their products. Such information security vulnerability, of course, is a major concern. For example, it criminals such as burglars could use the tracking information to ensure that users are not their homes. On this front, it appears that greater use of data encryption should be an integral design element of life-logging devices.

Symantec also revealed that in any shared service, user accounts will segregate one user’s status and data from others. “Sessions” manage the flow of data and processing so that users can only access their own data and perform tasks only on the data that they’re permitted to access. Cybercriminals can exploit weak session management to hijack sessions by masquerading as other users. This can lead to information leaks and data vandalism.

Furthermore, research identified sites that didn’t correctly handle user sessions. In one example, it was possible to browse personal data belonging to other users of the site. In another instance, an attacker uploaded SQL statements, such as commands to create tables in the database, to the server for execution.

What Can You Do?

Self-tracking and privacy present a dichotomy when considering absolute data security. In fact, when it comes to guaranteeing absolute data safety, the best advice is avoid life-logging altogether. That's not going to happen, though, given its escalating popularity.

So Symantec came up with some safeguard suggestions for those habitual life-trackers:

• Use a screen lock or strong password to prevent unauthorized access.

• Do not reuse the same user name and password between different sites.

• Always turn off Bluetooth when not required.

• Be wary of being asked for unnecessary or excessive information.

• Avoid sharing location details on social media.

• Avoid apps and services that do not display a privacy policy.

• Always read and understand the privacy policy of apps and services.

• Install app and operating system updates when available.

• Use a device-based security solution if available.

• Use full device encryption if available

Discuss this Blog Entry 2

on Aug 24, 2014

Reading the article reminded me of another related but usually neglected threat - social engineering.

on Aug 24, 2014


Please or Register to post comments.

What's London Calling?

Blogs on the electronics industry


Paul Whytock

Paul Whytock is European Editor for Penton Media's Electronics Division. From his base in London, England, he covers press conferences and industry events throughout the EU for Penton...
Commentaries and Blogs
Guest Blogs
Jan 26, 2017

An Amateur’s View on the P2 (Part 2): Slew Rate and the Oscillator 3

Justin Mamaradlo takes a further look into the P2 op amp and how it functions, analyzing the oscillation and slew-rate characteristics of the venerable component....More
Jul 15, 2016

Simple Yet Effective ESD Testing Methods for Higher Reliability 11

There are multiple ways to test for electrostatic discharge, ranging from implementing a human-body or machine model to....using a balloon and a comb?...More
Apr 8, 2016

Confabbing on the Fabless Fad 5

High capital and maintenance costs, and EDA advances along with abstractions to deal with chip complexity, have been leading contributors to the fabless migration....More

Sponsored Introduction Continue on to (or wait seconds) ×