Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sniffing and Tracking Wearable Tech and Smartphones

Posted by samzenpus on from the all-the-better-to-follow-you-with dept.

An anonymous reader writes: Senior researcher Scott Lester at Context Information Security has shown how someone can easily monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, fitness monitors, and iBeacons. The findings have raised concerns about the privacy and confidentiality wearable devices may provide. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott says. “Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 meters in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.” The researchers have even developed an Android app that scans, detects and logs wearable devices.

56 comments

  1. Sniffing wearable tech by rossdee · · Score: 2

    whatever turns you on I suppose

    1. Re:Sniffing wearable tech by Culture20 · · Score: 2

      "By the way, try washing your wrist sometime." --Leela's wrist thingamajig

  2. Minority Report by Anonymous Coward · · Score: 1

    This reminds me of the Minority Report scene, where people could easily be tracked by their eyes being scanned and the annoying part of it I always thought was the loud mouthed advertising, with the ads giving out your name and what you bought yesterday.

    "Hi there, Jane, how are you enjoying those extra absorbent tampons you bought last week, is everything ok? Need some new underwear?"

    As to tracking for your own legal purposes, there are many services designed for that. Any technology can be abused, the question is what do you find acceptable risk?

    1. Re:Minority Report by ArcadeMan · · Score: 1

      What the DS9 episode where she gets stuck in the turbolift with Odo, that should change your mind.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:Minority Report by TWX · · Score: 1

      Uh, because then the computer voice would have to change?

      --
      Do not look into laser with remaining eye.
    3. Re:Minority Report by Anonymous Coward · · Score: 0

      Uh, because then the computer voice would have to change?

      The _character_, you dumb shit-for-brains, not the _actress_. You see, they are fictional characters. Nothing that happens to them is real. It is the character who is obnoxious. Therefore the same woman could continue to do a computer voice, or whatever.

    4. Re:Minority Report by MobileTatsu-NJG · · Score: 1

      Boy did you miss the point of her character.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    5. Re:Minority Report by Anonymous Coward · · Score: 0

      The masterstroke of his comment was in beginning with the condescending "uh".

    6. Re:Minority Report by Anonymous Coward · · Score: 0

      Boy did you miss the point of her character.

      I know this is new and shocking information for average Slashdot users, but I'll tell youthe truth: it's possible to fully understand something and still dislike it. Yes, believe it or not, not everyone who disagrees with you about a matter of opinion is misinformed/misguided/etc. You arrogant cunt.

    7. Re:Minority Report by MobileTatsu-NJG · · Score: 1

      That's all fine and good, but you did miss the point of her character. Your first post proved it and your ignorant reply cemented it. Nobody said anything about you having to like her.

      Have a nice day.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    8. Re:Minority Report by Anonymous Coward · · Score: 0

      When someone someone fully understands something and dislikes it they are able to articulate why. You ignorant cunt.

  3. In the Sticks by pubwvj · · Score: 1

    I fee sooo left out way out here in the sticks where I'm not getting my Bluetooth sniffed, or anything else except by the local wild and semi-wild fauna.

    Not.

    Seriously not. Adds one more reason to my list not to go down off the mountain...

    1. Re:In the Sticks by Whiteox · · Score: 1

      Fine. Be that way. I for one never go outside because strange things happen when I go outside.

      --
      Don't be apathetic. Procrastinate!
    2. Re:In the Sticks by Anonymous Coward · · Score: 0

      This is great! AshleyMadison should make a spouse tracker app that will let you know when it is safe to get naughty with someone. You will be warned when your wife is getting too close. You could set your own perimeters, etc.

    3. Re:In the Sticks by Anonymous Coward · · Score: 0

      This is great! AshleyMadison should make a spouse tracker app that will let you know when it is safe to get naughty with someone. You will be warned when your wife is getting too close. You could set your own perimeters, etc.

      Life360's Family Locator is a good start.

  4. Really? by Frosty+Piss · · Score: 2

    The findings have raised concerns about the privacy and confidentiality wearable devices may provide.

    Who ever suggested that there was any "privacy and confidentiality" of wearable devices that use Bluetooth? Who would even think such a thing? We're not talking about encrypted communications devices here...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Really? by fuzzyfuzzyfungus · · Score: 1

      Value judgements have their place; but leaping to them tends to involve jumping over a host of important factors.

      The point isn't about who you blame, it's the fact that the capability has gotten a whole lot easier and cheaper.

    2. Re:Really? by TWX · · Score: 3, Interesting

      I'm guessing that most people think that they're secure in their privacy unless they're forced into a confrontation that proves they aren't. Look at all of the corporate officers that get busted with e-mail and text messages that document their white-collar crimes. Those people are supposed to be pretty smart and even they still don't understand how the technology or the law actually work.

      --
      Do not look into laser with remaining eye.
    3. Re: Really? by Anonymous Coward · · Score: 0

      People probably assume that the pairing process is about more than the literal pairing.

      Which would be a safe assumption if there weren't idiots implementing the system. It's similar to wifi signals that use security that's not been vetted by expert in security or cryptography.

      Or more likely they don't think about it or how the information gets combined with other information.

    4. Re: Really? by Anonymous Coward · · Score: 0

      Or more likely they don't think about it or how the information gets combined with other information.

      To do any thinking when it isn't explicitly required by a boss or other authority figure is decidedly un-American. It is not the birthright and privilege of free people with free minds; nay, it is a terrible burden to be offloaded or avoided entirely whenever possible.

    5. Re:Really? by AmiMoJo · · Score: 2

      Who would even think such a thing?

      Ordinary people assume that when something is "connected" to their phone, it is connected in the same way that a cable connects things or they are connected to secure wifi with a password. The fact that you usually need to use a PIN number to pair Bluetooth devices further adds to to illusion that it is secure, because PINs are for security.

      Engineers have to accept responsibility here. We have to make things secure by default, and respect privacy. Users don't appreciate the somewhat subtle differences between types of security, or that because one type of Bluetooth is fairly secure it doesn't mean that another type is also going to be secure, or even that there is more than one type.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Kinda neat for sign-in sign-out systems by Brulath · · Score: 5, Interesting

    Broader privacy implications aside, it's actually kind of neat to be wearing a device which can identify when you're in a particular space and how long for. We have a volunteer tech group working on projects at our local museum and one of the guys implemented a fitbit scanner to identify when people were present and how long for (which is useful, as bureaucracy dictates we sign in/out for fire and visitor-tracking reasons). Every few minutes it broadcasts a request for fitbits, and all those within range respond. They return a mac which can be linked back to a fitbit account, if the user has authorised us to access it, which makes it a bit easier to identify the person who owns the fitbit. We could probably replace it with another sign in system, but passive is kind of neat when you want it.

    I assume resolving the identifying problem wouldn't be as easy as using a random mac?

    1. Re:Kinda neat for sign-in sign-out systems by Anonymous Coward · · Score: 0

      I remember back when people said things were "neat". It was the late 1980s. In the 1970s the meme was "terrific".

    2. Re:Kinda neat for sign-in sign-out systems by TWX · · Score: 1

      Changing a MAC once won't do any good, as once the new MAC is learned, if it's seen again then it'll be recognized again.

      --
      Do not look into laser with remaining eye.
  6. Really? by Anonymous Coward · · Score: 0

    Whatever happened to good ol' fashioned stalking being the problem. Or, you know, the criminal being the problem.

    I don't blame technology. I blame the criminal for comiitting the crime.

  7. I installed it ... by CaptainDork · · Score: 1

    ... and it does nothing.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:I installed it ... by zlives · · Score: 1

      it updates your location to their servers right away... its not suppose to do anything else, you have now been tagged as one of the people to be interrogated later by 3 letter agency of your choice because you clearly were trying to hack something.... i think that's how it goes :)

  8. Big Deal by PopeRatzo · · Score: 2

    "Sniffing and tracking"? My seven year old beagle does those things and has much longer battery life.

    Call me when you're bluetooth device can fetch a tennis ball.

    --
    You are welcome on my lawn.
    1. Re:Big Deal by fuzzyfuzzyfungus · · Score: 2

      Unfortunately, despite not being iBeagle, you will find your beagle's battery...difficult to user service...when depleted. Also problematic to restore from backup.

    2. Re:Big Deal by Anonymous Coward · · Score: 0

      And call us when your spellchecker does its job properly.

    3. Re:Big Deal by PopeRatzo · · Score: 1

      you will find your beagle's battery...difficult to user service...when depleted.

      A few doggie treats and a quick nap on the porch is all the user service she needs.

      --
      You are welcome on my lawn.
    4. Re:Big Deal by Anonymous Coward · · Score: 0

      you will find your beagle's battery...difficult to user service...when depleted.

      A few doggie treats and a quick nap on the porch is all the user service she needs.

      She sounds like a real bitch!

    5. Re:Big Deal by Anonymous Coward · · Score: 0

      That would be grammar, not spelling. Asshat.

  9. Let's gt to the extreme. by Ateocinico · · Score: 1

    Saturate your body with sensors. A bluetooth connection for every hair in your ears, nose and butt. Wifi for each of your liver's lobes, flow sensor in your intestines, strain gauges glued to your nails, ears and eyelids, a nanomagnetometer for every neuron, tile the inner wall of your small intestine with enzyme chips, etc, etc. If enough people follows that trend, soon the data flow is going to surpass any available computing power to process it. An being fashionable in the process, the real concern of most gadget users.

    1. Re:Let's gt to the extreme. by ihtoit · · Score: 1

      the Internet of Everything starts with everything else and ends with permanent and persistent tracking of humans from the second their skin hits air to the second they expire. You have two choices here: accept the inevitability of this march to not only total information awareness but total corporate control over that information and total monetisation of that information entirely at your expense, or simply say "NO, I WILL NOT BE WIRED, TRACKED, NUMBERED, SERIALISED, SOLD, COMMODITISED OR ELECTRONICALLY CONSTRAINED".

      I know which I'm picking.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    2. Re:Let's gt to the extreme. by zlives · · Score: 1

      control of information is necessitated by our want of privacy... if we don't care about privacy, there is no need for control. freely available total information awareness, thus, as a goal would actually set us on the path away from "total monetisation".

    3. Re:Let's gt to the extreme. by ihtoit · · Score: 1

      TIA doesn't mean what I think you think it means. It's not personal knowledge of what information about you is going where, it's about the fact that every single little facet of your life, right down to how runny your shit is, is/will be being recorded and made money on for somebody else. That somebody else controls YOUR information. You don't even KNOW what and how much information about you is being gathered every second of every day and where it is going. Even trying to opt out of the system is information that someone can use. Simply not interacting with the system is probably the only way to minimise the amount of information you put out, but that might involve a sendep tank in a super secret facility that not even God knows about.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  10. The made-for-TV-movie... by fuzzyfuzzyfungus · · Score: 1

    While they are admittedly a staple of low-budget action shlock; it seems that the 'celebrities, politicians, and high level business executives'(none of those midlevel guys, do you know what a kidnapping costs, per kilogram of hostage?) would be the least relevant targets for this flavor of attack.

    Fancy prominent people are valuable, strategically relevant, or have deranged and dangerous fans. Such people have merited considerable human effort on the part of assorted attackers more or less since the invention of enough society to be hierarchical.

    A cheap, ubiquitous, trivial-to-implement; and quite possibly also legal (no reasonable expectation of privacy, yadda yadda) tracking mechanism doesn't change the game for them, it changes the game for every last Joe and Jane Nobody with some RF widget. As cellphones have demonstrated, enough bluetooth to track nearby bluetooth radios, and enough cellular hardware to report back to the mothership is smaller than a deck of cards, especially if installed somewhere with access to power. It's also cheap, potentially vanishingly so compared to things like billboard/signage space in well traveled areas, or other plausible deployment points.

    "The CEO of SomethingDyne Corp has been kidnapped! Can you backtrace his bluetooth?" makes a better B movie; but this tracking technique is far more promising as a cheap, ubiquitous, mass observation mechanism(probably for some bullshit 'audience engagement metrics' thing, not even a proper authoritarian dystopia) than it is for picking off some dude in an armored limo with a couple of those ear-radio guys flanking him.

  11. Wrong!! by ultranerdz · · Score: 3, Informative

    Bluetooth 4.1 adds Randomised private resolvable addresses. This allows only bonded devices to be tracked this way.

    1. Re:Wrong!! by gl4ss · · Score: 2

      this is really "news" from 2000.

      furthermore, iBeacons and such are used exclusively for the purpose of creating a beacon..

      --
      world was created 5 seconds before this post as it is.
  12. HIPPA by sunderland56 · · Score: 3, Interesting

    Isn't leaking personally identifiable health information a violation of HIPPA?

    1. Re:HIPPA by Anonymous Coward · · Score: 0

      Not if you leak it yourself.

    2. Re:HIPPA by Anonymous Coward · · Score: 0

      No, but you can sniff my leaks

    3. Re:HIPPA by swillden · · Score: 1

      It's HIPAA, not HIPPA.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:HIPPA by cmseagle · · Score: 1

      What protected health information is being leaked? You can identify a device and then maybe tie that device to an individual, but you aren't gaining access to any of their sensitive data.

  13. bluetooth by Anonymous Coward · · Score: 0

    Why use the bluetooth in the first place? I only use usb cable and wifi to connect to computer.
    Best action is to disconnect the actual bluetooth antenna, so that you can plug it back, if you ever really need that damn bluetooth.

    1. Re:bluetooth by ihtoit · · Score: 1

      you don't use Bluetooth which works on the same 2.4GHz band as wifi, but you'll use wifi which works on the same 2.4GHz band as Bluetooth.

      Sounds legit.

      (for myself, I tend not to use anything which radiates for a return signal these days, instead preferring to trail a 50m cable around the house for internet access and the phone is either wired landline or wired headset for the cellphone which I don't carry on me anyway, and when it is in use it sits on the desk. I consider Bluetooth to be such a serious security risk I physically disable it when I find it by removing the card (if it's in a laptop), or I flash it to useless (easily done on a phone, older firmwares generally don't have functional Bluetooth drivers). Wifi is easily disabled, generally that's a case of simply shoving a pin through the cable).

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  14. Wow by nospam007 · · Score: 1

    "...identify and locate a particular device – that may belong to a celebrity, politician or..."

    IOW a wet dream for paparazzi.

  15. Only a matter of time by Anonymous Coward · · Score: 0

    before someone puts up a website of interesting mac's seen/to watch for.

    I wonder if this can go both ways?
    Can you send to the device, or look like you are sending form the davice?

    Seems like this wearable stuff is not fully thought out.
    Perhaps the next gen will have power backoff to prevent emitting a bigger signal than it has to.

    1. Re:Only a matter of time by Muad'Dave · · Score: 1

      That app and website already exists. I don't remember what the app is right now (it's on the Android Store), but there's an app there that receives and uploads all MACs seen + GPS info + some BLE service info.

      --
      Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
  16. I only use pre-BLE - security & reliability. by allquixotic · · Score: 1

    The latest wave of BLE / "Bluetooth Smart" devices, everything from headphones to keyboards to fitness bands, are a joke. Not only is the connection reliability *terrible*, but a paper describing a method of attack the protocol has been out for a while now.

    My suggestion, and what I currently do, is refuse to buy any product that advertises that it supports or uses Bluetooth Low Energy or Bluetooth Smart or Bluetooth 4.0. Anything similar to that in the marketing literature or tech specs, and I pass it by. Bluetooth 4.0 might be OK, as long as one of the two devices you're connecting only supports Bluetooth 3.0 or earlier. And yes, I'm aware that not all Bluetooth 4.0 devices are using BLE/Smart, but in my testing and experience, anything communicating with the Bluetooth 4.0 protocol is fraught with problems.

    I'm getting a lot more use than I expected out of devices and peripherals that are more than 2 years old that support BT 2.1 or BT 3.0. Looks like I'll be hanging on to them for another 1-2 years until they design a revised low energy protocol that isn't an absolute joke. No one's laughing, Bluetooth SIG.

    And, yeah... the reliability issues are especially galling.

    I have a bunch of different pairs of Bluetooth headphones and devices that transmit bluetooth audio, from "adapters", to smartphones, to desktop computers with a Bluetooth dongle, to laptops with built-in Bluetooth.

    I consistently get great sound and no dropouts or clicks or pops, even at distances of 7 - 8 meters (usually further than most bluetooth devices can transmit without starting to drop out), as long as *at least one* of the devices does not support BLE/Bluetooth Smart/4.0. However, if both the headphones and the transmitter support Bluetooth 4.0 and/or Bluetooth LE, I get consistent and horrid clicks and pops and dropouts, regardless of range or wireless interference. To rule out interference, I performed the tests both at home and at work; my home environment has almost no traffic in the 2.4 GHz band, while the wireless environment at work is extremely noisy.

    My tests are pretty conclusive. Right now, in my opinion, the best thing you can do is either don't buy Bluetooth 4.0 / BLE devices, or if you do, make sure you're pairing it with a device that forces it into an earlier-spec compatibility mode, like Bluetooth 3.0. You may, in fact, get worse battery life if you do this, but I would gladly trade that for extended range, reliability and sound quality, which is especially important if you are listening to music.