Slashdot Mirror

← Back to Stories (view on slashdot.org)

Extracting Data From the Microsoft Band

Posted by timothy on from the buncha-freeloaders dept.

An anonymous reader writes The Microsoft Band, introduced last month, hosts a slew of amazing sensors, but like so many wearable computing devices, users are unable to access their own data. A Brown University professor decompiles the app, finds that the data is transmitted to the Microsoft "cloud", and explains how to intercept the traffic to retrieve the raw minute-by-minute data captured by the Band.

27 of 51 comments (clear)

  1. The Microsoft Band by NoNonAlphaCharsHere · · Score: 1

    So, that's like the early Ramones? All the songs 2 minutes and 30 seconds long, three chords max?

    1. Re:The Microsoft Band by Snotnose · · Score: 1

      Except they lose sync after a minute or so, thus after 2 minutes 30 seconds they're all playing a different song.

    2. Re:The Microsoft Band by kelemvor4 · · Score: 2

      Except they lose sync after a minute or so, thus after 2 minutes 30 seconds they're all playing a different song.

      Hence the maximum duration being limited to 2 minutes 30 seconds.

  2. Can you ever trust Mickey$oft??? by rstanley · · Score: 1

    Why would anyone allow Mickey$oft to spy on you even more they already do now through their O/S's, Bing, etc...???

    Anyone who does deserves the results!!!

    1. Re:Can you ever trust Mickey$oft??? by bloodhawk · · Score: 1

      At this point in time it is a pick your poison, don't like sharing that sort of data with anyone, especially a big company like MS, but at least it is not as bad Google.

    2. Re:Can you ever trust Mickey$oft??? by rstanley · · Score: 1

      ARE YOU SERIOUS???

      By all means! Trust Mickey$oft, the NSA, and who knows who else, with your life and all your data! ;^)

      As for me, as I say: "Keep your friends close, your enemies closer, and all your data in your pocket!!!"

      In other words, I will keep my data out of the so-called, "Cloud" and on my own servers, under my sole control!

    3. Re:Can you ever trust Mickey$oft??? by sumdumass · · Score: 1

      Who says microsoft isn't?

      Or is it google that has you upset?

    4. Re:Can you ever trust Mickey$oft??? by bloodhawk · · Score: 1

      Firstly this data is pretty irrelevant to most and I seriously doubt anyone gives a shit about what my heart rate and how far I walked today much less the NSA. secondly if you decide the convenience is worth your loss of control of the data (which it isn't for me, but others may feel differently) then at least MS is better than having a company like google have access to it and they seem to be the other likely candidate in this arena.

  3. Re:Decompiled the app? by kelemvor4 · · Score: 1

    Probably violated the EULA by doing that.

    Microsoft has undoubtedly unleashed the hounds.

    Yes, that's a given. Jeff is pretty much screwed at this point.

  4. Re:Decompiled the app? by helsinki92 · · Score: 1

    Queue the DMCA take down notice!

  5. Re:This also means by fabrica64 · · Score: 1

    But a smart SSL application would check the cloud server against a specific SSL certificate authority (MS CA?) to protect against MITM

  6. Re:Decompiled the app? by kelemvor4 · · Score: 1

    Queue the DMCA take down notice!

    He will probably wish he was that lucky, this is Microsoft. More likely they'll sue for more money than he could earn in 3 or 4 lifetimes and his firstborn daughter's virginity.

  7. Re:Decompiled the app? by fizzer06 · · Score: 2

    his firstborn daughter's virginity

    Cosby already stole that.

  8. Re:This also means by fabrica64 · · Score: 1

    Thanks for the nice words... This (having a rogue top CA ruining the entire SSL system) is a known vulnerability in the SSL architecture and it has already been used to infiltrate MS Windows updates. For this reason if you want real security you dont' use the current SSL CA structure. People don't talk too much about it for various reasons, banks don't want to create panic, government wants easy wiretap, etc. If you are happy with current top CA lists that comes with the standard browsers you really are giving your security keys to people you don't know and that are not "certified" at all. Good luck!

  9. Oxymoron: by CaptainDork · · Score: 1

    Sole control of Internet-connected devices ... especially servers.

    --
    It little behooves the best of us to comment on the rest of us.
  10. Re:This also means by fabrica64 · · Score: 1

    In other words, just to let you understand, you don't need to have a top CA installed on your phone to be interceped through MITM, and apparently this also happens with your whole government department...

  11. Re:the Band by CaptainDork · · Score: 1

    I was hoping it had a drum set.

    --
    It little behooves the best of us to comment on the rest of us.
  12. Re:This also means by fabrica64 · · Score: 1

    And I was not talking about server SSL certs, but CA certs, certainly a dev that took the approach to verify a single specific certificate are not understanding very well PKI as well as you don't understand SSL architecture

  13. Re:the Band by HatofPig · · Score: 1

    Just CANYON.MID

    --
    Silicon & Charybdis McLuhan Kildall Papert Kay
  14. Re:Decompiled the app? by Opportunist · · Score: 1

    Maybe he should try to find shelter in a country with sensible copyright laws. Yes, they do (still) exist over here in Euroland.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  15. Re:This also means by Opportunist · · Score: 1

    We're all holding our collective breath waiting to hear your practical, commercially and technically feasible alternative.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  16. I'm so disgusted by WaffleMonster · · Score: 1

    Seems only thing this industry is capable of producing these days is creepy stalker gadgets.

  17. Re:This also means by WaffleMonster · · Score: 1

    We're all holding our collective breath waiting to hear your practical, commercially and technically feasible alternative.

    The proper technical solution is to bind encryption with a secure user authentication protocol.

    Dump the certs in the trash where they belong and use TLS-SRP.

    Technology is readily available and easy to implement.

  18. Re:This also means by fabrica64 · · Score: 1

    Be smart, just use a CA cert you trust, not the ones some else do, like the list provided by the browser or the OS

  19. Re:I'm so disgusted (and yet uplifted) by andhar · · Score: 1

    It's disgusting that companies behave like creepy stalkers when they have your data, but...

    I think it's interesting that mankind shows this need to quantify itself and achieve a sort of data-driven physical self-awareness. We're seeing the first generation to possess this kind of data, and I look forward to seeing what Smart People and Other Hackers can do with this data and their physical self-awareness. Perhaps when mankind has satiated its desire for physical self-awareness, we'll be able to return to our spiritual and philosophical sides. If we're not all already slaves to the global state.

    Or perhaps when we're oppressed by the global state, that will be the time for a new revolution and re-birth of rule by thinking people, similar to what happened when the American colonists threw off the oppression of the British monarchy, resulting in wonderful but short-lived goodness of the US Declaration of Independence, the US Constitution, founding fathers, etc.

    --
    Vaya con huevos, my darling.
  20. Re:This also means by Mikkeles · · Score: 1

    Well, specifically the owner can since he can easily install his own certificate. This allows for the fun game of sending random data to MS as extracted from your wife, pet dog, the homeless guy on the street, etc. Meanwhile he records his own data locally.

    --
    Great minds think alike; fools seldom differ.
  21. Re:I'm so disgusted (and yet uplifted) by SecurityGuy · · Score: 1

    I suppose I find it less interesting and simply factual. People respond well to having a number to try to move, or a goal to try to reach. Knowing this about myself, it's a useful tool to have.

    The one thing I wouldn't mind changing is having a vendor that keeps all the data local rather than uploading it to servers somewhere. I don't care too much that it's uploaded to servers somewhere, but it'd be a nice plus if I had the option to keep everything local. Then again, I use sites that have a social fitness component, so I'd probably still share. Maybe what I want is just the option to restrict the vendor from sharing, and the right to permanently delete the data when I'm done with it.