42 calories 104 bpm location: vienna 3.58 km...123 bpm 23.56 km 15.8 more moving parts = more risks...
TRANSCRIPT
1
3.58 KM 104 BPM 42 Calories
HOW SAFE IS YOUR QUANTIFIED SELF?
Candid Wüest
SECURITY RESPONSE
ATTACK POINTS IN HEALTH APPS & WEARABLE DEVICES
Location: vIENNA
Thanks To: Mario Ballano & Hon Lau
WHAT IS QUANTIFIED SELF?
Internet Of
Things
WearableTech
Business Health
Culture
Sports &
Recreation
Intersection of major consumer & IT trends Recording everything about your life
QUANTIFIED
SELF
2
What if there were no hypothetical questions? Symantec Security Response 2014
123 BPM
23.56 KM
15.8
More moving parts = more risks
RISK RISK
RISK RISK
RISK
3
WHERE THE BITS FIT IN
press space twice to save or once to cancel Symantec Security Response 2014
APP ANALYTICS
The secret life of mobile apps...
AD NETWORKS
APP PROVIDER
SOCIAL MEDIA
APP FRAMEWORKS
CRM/MARKETING
UTILITY API
OS PROVIDER
MAX DOMAINS
CONTACTED
14
AVG DOMAINS
CONTACTED
5
4
UNINTENTIONAL DATA LEAKS
A clear conscience is usually the sign of a bad memory. Symantec Security Response 2014
5
Example: Fitbit once had the “sexual activity” visible to all by default
5
VERIFY THE DEFAULT SETTINGS!
I don't suffer from insanity. I enjoy every minute of it. Symantec Security Response 2014
6
52% had no privacy policy
From the analyzed apps
It is personal identifiable information, but not as we know it
“Apps that access HealthKit are required to have a privacy policy,…” Apple.com
6
DATA “CUSTODIANS”
CAPS LOCK – Preventing Login Since 1980. Symantec Security Response 2014
7
Jawbone: Who’s asleep during San Francisco earthquake 2014?
7
YOUR DATA IS ALREADY ANALYSED
All generalizations are false. Symantec Security Response 2014
8
8
DO YOU NEED AN ALIBI?
I would love to change the world, but they won’t give me the source code. Symantec Security Response 2014
Fitbit used in court to show reduced activity levels
9
Larger proportion of the top 100 health apps leaked activity data through HTTP
Some apps accepted self-signed certificates or don’t check revocation lists
POST http://api.******.com/Mobile/Functions.ashx?action=RegisterUser FName: ken LName: west GoalWeight: 68 Email: [email protected] Password: P@SSw0rd ……
POST http://******.*******.net/cgi-bin/account password: 8EEFB875DB938CEC08299BE7AA709EE0 action: create email: [email protected] preflang: de_CH ...
No need to crack simply pass the hash
9
GET http://*****.***/api/createUser? username=KenWest [email protected] password=P@SSw0rd
20% SENT PASSWORD IN CLEAR TEXT
What happens if you get scared half to death twice? Symantec Security Response 2014
10
HTTP GET /api/getUser/877 [No authentication needed]
{"result":true,"data":{"id":"877","name":"Kenwest","email":"[email protected]", "password":"705bf40d40cb2904b04294fbc355XXXX","role":"0","about":null,"salt":"XgDLkaenP1","sex":"Male","age":null,"purpose":null,"coach_id":"1","heightfeet":null,"birthday":null,"heightinch":null,"startweight":null,"_currentweight":null,"targetweight":null,"_startbf":null,"_currentbf":null,"_targetbf":null,"_systolic":null,"_diastolic":null,"neck":null,"_hips":null,"_waist":null,"forearm":null,"wrist":null,"imageurl":null,"photo":null,"thumbnail_65":null,"thumbnail_150":null,"nike_user":null,"nike_pwd":null,"nike_join":"0","face_uid":null,"provider":"0","timezone":"America\/Los_Angeles","fitbit_token":null,"fitbit_secret":null,"fitbit_join":"0","withings_token":null,"withings_secret":null,"withings_userid":"0","withings_join":"0","google_uid":null,"google_join":"0", "facebook_access_token":null,"face_join":"0","first_run":"0","metric":"0","last_entry":null,"face_cache_last_update":null,"uuid":"d53fe2973d3ad4276a8aa5aaae0730aXXXX74aeefd9cc446b80eb14391a6XXXX","friendly":0,"follow":0,"currentweight":"190","sexnumber":"1","percent_to_lose":100,"percent_to_bf_lose":100,"totalbudget":1650,"systolic_warning":"bar bar-warning", "diastolic_warning":"bar bar-warning","systolic":null,"diastolic":null, "startavatar":"\/img\/male\/male_110","avatar":"\/img\/male\/male_190","points":0,"avgcalories":"108.71263885498047","avgminutes":"44.0000","avgweight":"190","sumweekcalories":"Still working on weight loss","level":"Newbie",“xxxxscore":0.60394444444444}}
Name
Password
Birthday Ideal for spammers
Photo Email, context and
Fitbit_token Social media accounts
Withings_token
Google_uid
Facebook_access_token
10
ENUMERATE USER DATA
If I agreed with you we’d both be wrong Symantec Security Response 2014
11
11
OPEN REMAILER SCRIPT
POST http://www.***.com/members/community130204/sendmail.php email: [email protected] subject: Daily Activity message: Dear User, You have 1 new private message. Please go to …
POST http://www.***.com/members/community130204/sendmail.php email: [email protected] subject: Your Daily Spam message: Dear User, You have 1 new SPAM message. Please click here…
If brute force doesn’t solve your problems, then you aren’t using enough. Symantec Security Response 2014
12
12
POSSIBLE IMPACT
• Account hijack o The problem of password reuse
o Costs: Sign the user up for premium services, commitments, …
o Change the privacy settings
• Spam o Enumerate user data to send spam with context
o Create dummy accounts & use profile page as spam landing pages
oUse socal media accounts to find friends and spam them
My software never has bugs. It just develops random features. Symantec Security Response 2014
13
Who said you have to run yourself? Dog-sitter?
13
GET REWARDED
It’s true hard work never killed anybody, but I figure, why take the chance? Symantec Security Response 2014
14
14
POSSIBLE IMPACT
• Loss of privacy o Reveal personal details: Identity theft, profiling, extortion, …
o Reveal Location: Stalking, burglar, kidnapping, corporate misuse, …
• Loss of integrity oModify/inject data: Gain rewards, high scores, frustrate others ;-)
oDelete the account and history
o Brick/change the device through firmware updates
As far as we know, our computer has never had an undetected error Symantec Security Response 2014
15
aka Bluetooth SMART and BTLE part of BT 4.0 (2010)
• Different from classic Bluetooth
• Does frequency hopping but can still be sniffed
• Pairing has been broken (Mike Ryan)
15
”Bluetooth Smart (low energy) technology supports a feature that reduces the ability to track a Bluetooth device over a period of time by changing the address on a frequent basis.” Bluetooth.org
BLUETOOTH LOW ENERGY
Some cause happiness wherever they go. Others whenever they go. Symantec Security Response 2014
SCANNING WITH A BLUEBERRY PI!
Bluetooth 4.0 USB dongle
$7
Raspberry pi
$35
Battery pack
$28
4GB SD Card
$5
$75
TOTAL PRICE
OUR BLUETOOTH TRACKER
16
SCANNING WITH A BLUEBERRY PI
Enter any 11-digit prime number to continue. Symantec Security Response 2014
17
17
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
40.0%
45.0%
A B C D E F G H I
• The phone may reveal the real name associated with the device
• 30 from 563 devices had something like a person’s name
– Rita :)) – Darren! – Franks phone – Erica
– Dawson – Alieen's mobile!!:) – Garret rip xxx – Big hairy bollo
SCAN RESULTS FOR A MINI MARATHON
WHO HAS ANY ARP JOKES? Symantec Security Response 2014
18
18
• 50 devices at the Westin Hotel
• 29 seen till noon, not everyone made it to the breakfast ;-)
0
5
10
15
20
25
30
FitbitFlex
FitbitOne
Nike JawboneUP24
Fitbit Zip GalaxyGear
Polar FitbitForce
SCANNING AT VB CONFERENCE
I didn't say it was your fault, I said I was blaming you. Symantec Security Response 2014
19
19
SCAN RESULTS FOR BLACKHAT EU/14
• 203 BTLE devices and 21 wearable fitness trackers seen
TTL jokes are short lived Symantec Security Response 2014
20
20
Source: blog.everytrail.com
SOME WANT THE DATA TO BE SEEN
ASCII stupid question, get a stupid ANSI Symantec Security Response 2014
Your digital footprint will be everywhere!
20% Login
credentials in clear text
14 Domains
contacted by apps
52% Do not have a privacy policy
123 BPM
23.56 KM
15.8
21
SELF-TRACKING CAN BE RISKY
An error? Impossible! My modem is error correcting Symantec Security Response 2014
123 BPM
23.56 KM
15.8
SCREEN LOCK
DEVICE ENCRYPTION
DON'T REUSE USERNAME/PASSWORDS
USE STRONG PASSWORDS
SECURITY SOFTWARE
TURN OFF BLUETOOTH IF NOT REQUIRED
KEEP DEVICE/SOFTWARE/OS UPDATED
LOOK FOR A PRIVACY POLICY
CHECK EXCESSIVE INFORMATION GATHERING
22
WHAT CAN USERS DO?
23
WHICH QUESTIONS ARE STILL OPEN ?
You can follow me on Twitter @mylaocoon
24
THANK YOU!
Copyright © 2014 Symantec Corporation. All rights reserved.
BLOG http://bit.ly/1pgGefW
WHITEPAPER http://bit.ly/1nGB4vw
TWITTER @threatintel
WEB http://www.symantec.com