1

3.58 KM 104 BPM 42 Calories

HOW SAFE IS YOUR QUANTIFIED SELF?

Candid Wüest

SECURITY RESPONSE

ATTACK POINTS IN HEALTH APPS & WEARABLE DEVICES

Location: vIENNA

Thanks To: Mario Ballano & Hon Lau

WHAT IS QUANTIFIED SELF?

Internet Of

Things

WearableTech

Business Health

Culture

Sports &

Recreation

Intersection of major consumer & IT trends Recording everything about your life

QUANTIFIED

SELF

2

What if there were no hypothetical questions? Symantec Security Response 2014

123 BPM

23.56 KM

15.8

More moving parts = more risks

RISK RISK

RISK RISK

RISK

3

WHERE THE BITS FIT IN

press space twice to save or once to cancel Symantec Security Response 2014

APP ANALYTICS

The secret life of mobile apps...

AD NETWORKS

APP PROVIDER

SOCIAL MEDIA

APP FRAMEWORKS

CRM/MARKETING

UTILITY API

OS PROVIDER

MAX DOMAINS

CONTACTED

14

AVG DOMAINS

CONTACTED

5

4

UNINTENTIONAL DATA LEAKS

A clear conscience is usually the sign of a bad memory. Symantec Security Response 2014

5

Example: Fitbit once had the “sexual activity” visible to all by default

5

VERIFY THE DEFAULT SETTINGS!

I don't suffer from insanity. I enjoy every minute of it. Symantec Security Response 2014

6

52% had no privacy policy

From the analyzed apps

It is personal identifiable information, but not as we know it

“Apps that access HealthKit are required to have a privacy policy,…” Apple.com

6

DATA “CUSTODIANS”

CAPS LOCK – Preventing Login Since 1980. Symantec Security Response 2014

7

Jawbone: Who’s asleep during San Francisco earthquake 2014?

7

YOUR DATA IS ALREADY ANALYSED

All generalizations are false. Symantec Security Response 2014

8

8

DO YOU NEED AN ALIBI?

I would love to change the world, but they won’t give me the source code. Symantec Security Response 2014

Fitbit used in court to show reduced activity levels

9

Larger proportion of the top 100 health apps leaked activity data through HTTP

Some apps accepted self-signed certificates or don’t check revocation lists

POST http://api.******.com/Mobile/Functions.ashx?action=RegisterUser FName: ken LName: west GoalWeight: 68 Email: kenwest@this.tld Password: P@SSw0rd ……

POST http://******.*******.net/cgi-bin/account password: 8EEFB875DB938CEC08299BE7AA709EE0 action: create email: kenwest@this.tld preflang: de_CH ...

No need to crack simply pass the hash

9

GET http://*****.***/api/createUser? username=KenWest email=kenwest@this.tld password=P@SSw0rd

20% SENT PASSWORD IN CLEAR TEXT

What happens if you get scared half to death twice? Symantec Security Response 2014

10

HTTP GET /api/getUser/877 [No authentication needed]

{"result":true,"data":{"id":"877","name":"Kenwest","email":"ken@this.tld", "password":"705bf40d40cb2904b04294fbc355XXXX","role":"0","about":null,"salt":"XgDLkaenP1","sex":"Male","age":null,"purpose":null,"coach_id":"1","heightfeet":null,"birthday":null,"heightinch":null,"startweight":null,"_currentweight":null,"targetweight":null,"_startbf":null,"_currentbf":null,"_targetbf":null,"_systolic":null,"_diastolic":null,"neck":null,"_hips":null,"_waist":null,"forearm":null,"wrist":null,"imageurl":null,"photo":null,"thumbnail_65":null,"thumbnail_150":null,"nike_user":null,"nike_pwd":null,"nike_join":"0","face_uid":null,"provider":"0","timezone":"America\/Los_Angeles","fitbit_token":null,"fitbit_secret":null,"fitbit_join":"0","withings_token":null,"withings_secret":null,"withings_userid":"0","withings_join":"0","google_uid":null,"google_join":"0", "facebook_access_token":null,"face_join":"0","first_run":"0","metric":"0","last_entry":null,"face_cache_last_update":null,"uuid":"d53fe2973d3ad4276a8aa5aaae0730aXXXX74aeefd9cc446b80eb14391a6XXXX","friendly":0,"follow":0,"currentweight":"190","sexnumber":"1","percent_to_lose":100,"percent_to_bf_lose":100,"totalbudget":1650,"systolic_warning":"bar bar-warning", "diastolic_warning":"bar bar-warning","systolic":null,"diastolic":null, "startavatar":"\/img\/male\/male_110","avatar":"\/img\/male\/male_190","points":0,"avgcalories":"108.71263885498047","avgminutes":"44.0000","avgweight":"190","sumweekcalories":"Still working on weight loss","level":"Newbie",“xxxxscore":0.60394444444444}}

Name

Email

Password

Birthday Ideal for spammers

Photo Email, context and

Fitbit_token Social media accounts

Withings_token

Google_uid

Facebook_access_token

10

ENUMERATE USER DATA

If I agreed with you we’d both be wrong Symantec Security Response 2014

11

11

OPEN REMAILER SCRIPT

POST http://www.***.com/members/community130204/sendmail.php email: kenwest@this.tld subject: Daily Activity message: Dear User, You have 1 new private message. Please go to …

POST http://www.***.com/members/community130204/sendmail.php email: kenwest@this.tld subject: Your Daily Spam message: Dear User, You have 1 new SPAM message. Please click here…

If brute force doesn’t solve your problems, then you aren’t using enough. Symantec Security Response 2014

12

12

POSSIBLE IMPACT

• Account hijack o The problem of password reuse

o Costs: Sign the user up for premium services, commitments, …

o Change the privacy settings

• Spam o Enumerate user data to send spam with context

o Create dummy accounts & use profile page as spam landing pages

oUse socal media accounts to find friends and spam them

My software never has bugs. It just develops random features. Symantec Security Response 2014

13

Who said you have to run yourself? Dog-sitter?

13

GET REWARDED

It’s true hard work never killed anybody, but I figure, why take the chance? Symantec Security Response 2014

14

14

POSSIBLE IMPACT

• Loss of privacy o Reveal personal details: Identity theft, profiling, extortion, …

o Reveal Location: Stalking, burglar, kidnapping, corporate misuse, …

• Loss of integrity oModify/inject data: Gain rewards, high scores, frustrate others ;-)

oDelete the account and history

o Brick/change the device through firmware updates

As far as we know, our computer has never had an undetected error Symantec Security Response 2014

15

aka Bluetooth SMART and BTLE part of BT 4.0 (2010)

• Different from classic Bluetooth

• Does frequency hopping but can still be sniffed

• Pairing has been broken (Mike Ryan)

15

”Bluetooth Smart (low energy) technology supports a feature that reduces the ability to track a Bluetooth device over a period of time by changing the address on a frequent basis.” Bluetooth.org

BLUETOOTH LOW ENERGY

Some cause happiness wherever they go. Others whenever they go. Symantec Security Response 2014

SCANNING WITH A BLUEBERRY PI!

Bluetooth 4.0 USB dongle

$7

Raspberry pi

$35

Battery pack

$28

4GB SD Card

$5

$75

TOTAL PRICE

OUR BLUETOOTH TRACKER

16

SCANNING WITH A BLUEBERRY PI

Enter any 11-digit prime number to continue. Symantec Security Response 2014

17

17

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

35.0%

40.0%

45.0%

A B C D E F G H I

• The phone may reveal the real name associated with the device

• 30 from 563 devices had something like a person’s name

– Rita :)) – Darren! – Franks phone – Erica

– Dawson – Alieen's mobile!!:) – Garret rip xxx – Big hairy bollo

SCAN RESULTS FOR A MINI MARATHON

WHO HAS ANY ARP JOKES? Symantec Security Response 2014

18

18

• 50 devices at the Westin Hotel

• 29 seen till noon, not everyone made it to the breakfast ;-)

0

5

10

15

20

25

30

FitbitFlex

FitbitOne

Nike JawboneUP24

Fitbit Zip GalaxyGear

Polar FitbitForce

SCANNING AT VB CONFERENCE

I didn't say it was your fault, I said I was blaming you. Symantec Security Response 2014

19

19

SCAN RESULTS FOR BLACKHAT EU/14

• 203 BTLE devices and 21 wearable fitness trackers seen

TTL jokes are short lived Symantec Security Response 2014

20

20

Source: blog.everytrail.com

SOME WANT THE DATA TO BE SEEN

ASCII stupid question, get a stupid ANSI Symantec Security Response 2014

Your digital footprint will be everywhere!

20% Login

credentials in clear text

14 Domains

contacted by apps

52% Do not have a privacy policy

123 BPM

23.56 KM

15.8

21

SELF-TRACKING CAN BE RISKY

An error? Impossible! My modem is error correcting Symantec Security Response 2014

123 BPM

23.56 KM

15.8

SCREEN LOCK

DEVICE ENCRYPTION

DON'T REUSE USERNAME/PASSWORDS

USE STRONG PASSWORDS

SECURITY SOFTWARE

TURN OFF BLUETOOTH IF NOT REQUIRED

KEEP DEVICE/SOFTWARE/OS UPDATED

LOOK FOR A PRIVACY POLICY

CHECK EXCESSIVE INFORMATION GATHERING

22

WHAT CAN USERS DO?

23

WHICH QUESTIONS ARE STILL OPEN ?

You can follow me on Twitter @mylaocoon

24

THANK YOU!

Copyright © 2014 Symantec Corporation. All rights reserved.

BLOG http://bit.ly/1pgGefW

WHITEPAPER http://bit.ly/1nGB4vw

TWITTER @threatintel

WEB http://www.symantec.com