Extracting Data From the Microsoft Band

← Back to Stories (view on slashdot.org)

Extracting Data From the Microsoft Band

Posted by timothy on Thursday December 18, 2014 @10:30AM from the buncha-freeloaders dept.

An anonymous reader writes The Microsoft Band, introduced last month, hosts a slew of amazing sensors, but like so many wearable computing devices, users are unable to access their own data. A Brown University professor decompiles the app, finds that the data is transmitted to the Microsoft "cloud", and explains how to intercept the traffic to retrieve the raw minute-by-minute data captured by the Band.

51 comments

Min score:

Reason:

Sort:

remote stalking at its finest by Anonymous Coward · 2014-12-18 10:36 · Score: 0

"she's sleeping, RIGHT NOW!".
'nuff said.
The Microsoft Band by NoNonAlphaCharsHere · 2014-12-18 10:47 · Score: 1

So, that's like the early Ramones? All the songs 2 minutes and 30 seconds long, three chords max?
1. Re:The Microsoft Band by Snotnose · 2014-12-18 11:01 · Score: 1
  
  Except they lose sync after a minute or so, thus after 2 minutes 30 seconds they're all playing a different song.
2. Re:The Microsoft Band by kelemvor4 · 2014-12-18 11:23 · Score: 2
  
  Except they lose sync after a minute or so, thus after 2 minutes 30 seconds they're all playing a different song.
  Hence the maximum duration being limited to 2 minutes 30 seconds.
Can you ever trust Mickey$oft??? by rstanley · 2014-12-18 10:59 · Score: 1

Why would anyone allow Mickey$oft to spy on you even more they already do now through their O/S's, Bing, etc...???
Anyone who does deserves the results!!!
1. Re:Can you ever trust Mickey$oft??? by Anonymous Coward · 2014-12-18 11:29 · Score: 0
  
  You must use Google.
2. Re:Can you ever trust Mickey$oft??? by Anonymous Coward · 2014-12-18 11:40 · Score: 0
  
  could be worse, could be android based and then you would have google selling all your data off.
3. Re:Can you ever trust Mickey$oft??? by Anonymous Coward · 2014-12-18 11:46 · Score: 0
  
  Why would anyone allow Mickey$oft to spy on you even more they already do now through their O/S's, Bing, etc...???
  Anyone who does deserves the results!!!
  Because they will store it for free.
4. Re:Can you ever trust Mickey$oft??? by bloodhawk · 2014-12-18 11:48 · Score: 1
  
  At this point in time it is a pick your poison, don't like sharing that sort of data with anyone, especially a big company like MS, but at least it is not as bad Google.
5. Re:Can you ever trust Mickey$oft??? by rstanley · 2014-12-18 12:37 · Score: 1
  
  ARE YOU SERIOUS???
  By all means! Trust Mickey$oft, the NSA, and who knows who else, with your life and all your data! ;^)
  As for me, as I say: "Keep your friends close, your enemies closer, and all your data in your pocket!!!"
  In other words, I will keep my data out of the so-called, "Cloud" and on my own servers, under my sole control!
6. Re:Can you ever trust Mickey$oft??? by Anonymous Coward · 2014-12-18 13:06 · Score: 0
  
  OMG!! By not posting Anonymous, you just provided your Slashdot password to SLASHDOT!! I cannot believe you trust them with your password!!
7. Re:Can you ever trust Mickey$oft??? by sumdumass · 2014-12-18 13:21 · Score: 1
  
  Who says microsoft isn't?
  Or is it google that has you upset?
8. Re: Can you ever trust Mickey$oft??? by Anonymous Coward · 2014-12-18 13:23 · Score: 0
  
  Nobody cares about you that much. Get over yourself.
9. Re:Can you ever trust Mickey$oft??? by Anonymous Coward · 2014-12-18 13:44 · Score: 0
  
  if you are that paranoid why are you even connected to the web? why aren't you posting as an AC through a hidden network of proxies? personally I don't trust any of them to store that data for me, but many people really don't give a shit and if there is nothing particularly bad in the data why should they give a shit?
10. Re:Can you ever trust Mickey$oft??? by Anonymous Coward · 2014-12-18 16:34 · Score: 0
  
  Why would anyone allow Mickey$oft to spy on you even more they already do now through their O/S's, Bing, etc...???
  Yes who would store data on a server! Who?!
  
  Anyone who does deserves the results!!!
  Im curious as to what these "results" might be. Oh dear, they have the fitness data I gave them, they may show me a targeted advertisement! The horror!
  Honestly if you have your own cell phone you are quite easily tracked already and have been for years, this new wave of paranoia is perpetrated by morons that are completely ignorant of the theoretical implications of existing technology, anything you are suggesting is not new.
11. Re:Can you ever trust Mickey$oft??? by bloodhawk · 2014-12-18 16:46 · Score: 1
  
  Firstly this data is pretty irrelevant to most and I seriously doubt anyone gives a shit about what my heart rate and how far I walked today much less the NSA. secondly if you decide the convenience is worth your loss of control of the data (which it isn't for me, but others may feel differently) then at least MS is better than having a company like google have access to it and they seem to be the other likely candidate in this arena.
12. Re:Can you ever trust Mickey$oft??? by Anonymous Coward · 2014-12-18 18:22 · Score: 0
  
  A paranoid asshole who's also a rabid Anti-Microsoft troll. What are the odds?
13. Re:Can you ever trust Mickey$oft??? by Anonymous Coward · 2014-12-18 21:35 · Score: 0
  
  Wait until the insurance companies will use the hearth rate information to deny you (retroactively, so they don't have to pay out your claim) for insurance for a previous condition that you didn't even know you had. Trust me this will happen.
Decompiled the app? by Anonymous Coward · 2014-12-18 11:02 · Score: 0

Probably violated the EULA by doing that.
Microsoft has undoubtedly unleashed the hounds.
1. Re:Decompiled the app? by kelemvor4 · 2014-12-18 11:26 · Score: 1
  
  Probably violated the EULA by doing that.
  Microsoft has undoubtedly unleashed the hounds.
  Yes, that's a given. Jeff is pretty much screwed at this point.
2. Re:Decompiled the app? by helsinki92 · 2014-12-18 12:21 · Score: 1
  
  Queue the DMCA take down notice!
3. Re:Decompiled the app? by kelemvor4 · 2014-12-18 12:26 · Score: 1
  
  Queue the DMCA take down notice!
  He will probably wish he was that lucky, this is Microsoft. More likely they'll sue for more money than he could earn in 3 or 4 lifetimes and his firstborn daughter's virginity.
4. Re:Decompiled the app? by fizzer06 · 2014-12-18 12:50 · Score: 2
  
  his firstborn daughter's virginity
  Cosby already stole that.
5. Re:Decompiled the app? by Opportunist · 2014-12-18 19:26 · Score: 1
  
  Maybe he should try to find shelter in a country with sensible copyright laws. Yes, they do (still) exist over here in Euroland.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Cuecat by Anonymous Coward · 2014-12-18 11:18 · Score: 0

... yep that's it.
This also means by Anonymous Coward · 2014-12-18 11:54 · Score: 0

anyone that can spoof a MITM attack on microsoft band and steal your personal data. enjoy suckers
1. Re:This also means by Anonymous Coward · 2014-12-18 12:12 · Score: 0
  
  No, anyone that has installed their own root certificate on your phone can. At that point you're already screwed way worse than someone knowing if your sleeping
2. Re:This also means by fabrica64 · 2014-12-18 12:24 · Score: 1
  
  But a smart SSL application would check the cloud server against a specific SSL certificate authority (MS CA?) to protect against MITM
3. Re:This also means by Anonymous Coward · 2014-12-18 12:31 · Score: 0
  
  But a smart SSL application would check the cloud server against a specific SSL certificate authority (MS CA?) to protect against MITM
  Ah yes I ran into such a moronic approach recently for an app, you (just like them) fail to take into account that sometimes SSL providers change, upgrade infrastructure or perhaps you jump to a cheaper provider. We had a whole government department that changed SSL providers and the retard devs that took your approach had to spend several hundred thousand dollars in dev, test and deployment costs to address the issue as there app no longer worked because we had to update the servers SSL certs.
4. Re:This also means by fabrica64 · 2014-12-18 12:53 · Score: 1
  
  Thanks for the nice words... This (having a rogue top CA ruining the entire SSL system) is a known vulnerability in the SSL architecture and it has already been used to infiltrate MS Windows updates. For this reason if you want real security you dont' use the current SSL CA structure. People don't talk too much about it for various reasons, banks don't want to create panic, government wants easy wiretap, etc. If you are happy with current top CA lists that comes with the standard browsers you really are giving your security keys to people you don't know and that are not "certified" at all. Good luck!
5. Re:This also means by fabrica64 · 2014-12-18 13:11 · Score: 1
  
  In other words, just to let you understand, you don't need to have a top CA installed on your phone to be interceped through MITM, and apparently this also happens with your whole government department...
6. Re:This also means by fabrica64 · 2014-12-18 13:37 · Score: 1
  
  And I was not talking about server SSL certs, but CA certs, certainly a dev that took the approach to verify a single specific certificate are not understanding very well PKI as well as you don't understand SSL architecture
7. Re:This also means by Opportunist · 2014-12-18 19:28 · Score: 1
  
  We're all holding our collective breath waiting to hear your practical, commercially and technically feasible alternative.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
8. Re:This also means by WaffleMonster · 2014-12-18 20:13 · Score: 1
  
  We're all holding our collective breath waiting to hear your practical, commercially and technically feasible alternative.
  The proper technical solution is to bind encryption with a secure user authentication protocol.
  Dump the certs in the trash where they belong and use TLS-SRP.
  Technology is readily available and easy to implement.
9. Re:This also means by fabrica64 · 2014-12-18 21:36 · Score: 1
  
  Be smart, just use a CA cert you trust, not the ones some else do, like the list provided by the browser or the OS
10. Re:This also means by Mikkeles · 2014-12-19 02:38 · Score: 1
  
  Well, specifically the owner can since he can easily install his own certificate. This allows for the fun game of sending random data to MS as extracted from your wife, pet dog, the homeless guy on the street, etc. Meanwhile he records his own data locally.
  
  --
  Great minds think alike; fools seldom differ.
The plot thickens... by Anonymous Coward · 2014-12-18 12:33 · Score: 0

And THIS was why I didn't want to get the damn thing, because I don't know to whom they might be peddling my stats. My insurance provider, for example? Pharma? Just let me keep my data and don't treat me as your resource mine, and I might try your snazzy new product.
ankle monitor by Anonymous Coward · 2014-12-18 12:55 · Score: 0

Amazing. Used to have to commit a crime to get one of these. Now they can be ordered online!
the Band by Anonymous Coward · 2014-12-18 12:57 · Score: 0

I hear "Microsoft Band", and wonder what kind of music they play?
1. Re:the Band by CaptainDork · 2014-12-18 13:12 · Score: 1
  
  I was hoping it had a drum set.
  
  --
  It little behooves the best of us to comment on the rest of us.
2. Re:the Band by Anonymous Coward · 2014-12-18 14:08 · Score: 0
  
  #1 hit: The BSOD Blues.
3. Re:the Band by HatofPig · 2014-12-18 15:33 · Score: 1
  
  Just CANYON.MID
  
  --
  Silicon & Charybdis McLuhan Kildall Papert Kay
4. Re:the Band by Anonymous Coward · 2014-12-18 15:38 · Score: 0
  
  chchch chchch chchch chchch ch ch chchch chchch chchch chchch ch ch baaaaaah bup bup baaaaaah bup bup badadadadah badadadadadadaaah
  Yup. CANYON.MID sure was a great song. Stupid spam filter.
Oxymoron: by CaptainDork · 2014-12-18 13:09 · Score: 1

Sole control of Internet-connected devices ... especially servers.

--
It little behooves the best of us to comment on the rest of us.
I'm so disgusted by WaffleMonster · 2014-12-18 19:55 · Score: 1

Seems only thing this industry is capable of producing these days is creepy stalker gadgets.
Re:I'm so disgusted (and yet uplifted) by andhar · 2014-12-18 23:01 · Score: 1

It's disgusting that companies behave like creepy stalkers when they have your data, but...
I think it's interesting that mankind shows this need to quantify itself and achieve a sort of data-driven physical self-awareness. We're seeing the first generation to possess this kind of data, and I look forward to seeing what Smart People and Other Hackers can do with this data and their physical self-awareness. Perhaps when mankind has satiated its desire for physical self-awareness, we'll be able to return to our spiritual and philosophical sides. If we're not all already slaves to the global state.
Or perhaps when we're oppressed by the global state, that will be the time for a new revolution and re-birth of rule by thinking people, similar to what happened when the American colonists threw off the oppression of the British monarchy, resulting in wonderful but short-lived goodness of the US Declaration of Independence, the US Constitution, founding fathers, etc.

--
Vaya con huevos, my darling.
Re:I'm so disgusted (and yet uplifted) by Anonymous Coward · 2014-12-18 23:33 · Score: 0

American colonists threw off the oppression of the British monarchy, resulting in wonderful but short-lived goodness of the US Declaration of Independence, the US Constitution, founding fathers, etc.
citation needed
Re:I'm so disgusted (and yet uplifted) by SecurityGuy · 2014-12-19 03:01 · Score: 1

I suppose I find it less interesting and simply factual. People respond well to having a number to try to move, or a goal to try to reach. Knowing this about myself, it's a useful tool to have.
The one thing I wouldn't mind changing is having a vendor that keeps all the data local rather than uploading it to servers somewhere. I don't care too much that it's uploaded to servers somewhere, but it'd be a nice plus if I had the option to keep everything local. Then again, I use sites that have a social fitness component, so I'd probably still share. Maybe what I want is just the option to restrict the vendor from sharing, and the right to permanently delete the data when I'm done with it.