Health apps and wearable devices found to make many basic security mistakes.
“I know a lot of you have a
Fitbit
device.”
The geeks attending
VB
conferences tend to like their gadgets, and many of them have the latest ones, so the claim made by Candid Wüest at the beginning of his VB2014 last-minute presentation ‘Attack points in health apps & wearable devices – how safe is your quantified self?’ was bound to be accurate. But the
Symantec
researcher really
did
know
how many
delegates were sporting such a device.
Fitness devices and health apps have become very popular in recent years, and they certainly demonstrate the potential of modern technology. Unfortunately, in many cases, security and privacy had not been given serious consideration during development.
This will not come as a surprise anyone to who has looked at the security of mobile apps. Yet, because these apps are designed to measure things we really want to keep to ourselves, such as our health or our exact location, this is a rather serious issue.
In the best cases, apps sent data over an HTTPS connection that didn’t check for revoked certificates, but in many other cases, no encryption was used at all. In some cases, the data in the cloud itself wasn’t protected either, making personal information easily accessible for even the most novice attacker.
And it isn’t just the connection to the cloud that users have to worry about. Candid created a $75 “Blueberry pi” device, based on a
Raspberry Pi
and a Bluetooth USB dongle, that allowed him to track people wearing a fitness device. He had used this device to track runners during a mini-marathon in Dublin, but also to track delegates during VB2014.
He finished his presentation with a shout out to
I Am The Cavalry
, the grassroots organisation that focuses on making medical devices, automobiles, home electronics and public infrastructure more secure. Candid’s presentation (a variation of which he later
delivered
at
Black Hat Europe
) showed that the organisation still has a lot of work to do.
Because this was one of the event’s ‘last-minute’ presentations, there was no written paper for us to publish. We have, however, uploaded the video to our
YouTube
channel
. You can download the presentation slides
here
.
Posted on 07 November 2014 by
Martijn Grooten
Leave a Reply