3.58 KM 104 BPM 42 Calories HOW SAFE IS YOUR

42 Calories
Location: vIENNA
104 BPM
3.58 KM
HOW SAFE IS YOUR QUANTIFIED SELF?
ATTACK POINTS IN HEALTH APPS & WEARABLE DEVICES
Candid Wüest
SECURITY RESPONSE
Thanks To: Mario Ballano & Hon Lau
1
2
WHAT IS QUANTIFIED SELF?
Intersection of major consumer & IT trends
Recording everything about your life
Sports
&
Internet
Of
Things
Recreation
Wearable
Tech
QUANTIFIED
SELF
Business
Health
Culture
Symantec Security Response 2014
What if there were no hypothetical questions?
3
WHERE THE BITS FIT IN
More moving parts = more risks
RISK
RISK
RISK
23.56 KM
123
BPM
RISK
Symantec Security Response 2014
15.8
RISK
press space twice to save or once to cancel
4
UNINTENTIONAL DATA LEAKS
The secret life of mobile apps...
MAX DOMAINS
CONTACTED
14
APP ANALYTICS
AD NETWORKS
APP PROVIDER
OS PROVIDER
SOCIAL MEDIA
APP FRAMEWORKS
AVG DOMAINS
CONTACTED
5
Symantec Security Response 2014
CRM/MARKETING
UTILITY API
A clear conscience is usually the sign of a bad memory.
5
VERIFY THE DEFAULT SETTINGS!
Example: Fitbit once had the “sexual activity” visible to all by default
5
Symantec Security Response 2014
I don't suffer from insanity. I enjoy every minute of it.
6
DATA “CUSTODIANS”
It is personal identifiable information, but not as we know it
“Apps that access HealthKit are required to have a privacy policy,…”
Apple.com
From the analyzed apps
52% had no privacy policy
6
Symantec Security Response 2014
CAPS LOCK – Preventing Login Since 1980.
7
YOUR DATA IS ALREADY ANALYSED
Jawbone: Who’s asleep during San Francisco earthquake 2014?
7
Symantec Security Response 2014
All generalizations are false.
8
DO YOU NEED AN ALIBI?
Fitbit used in court to show reduced activity levels
8
Symantec Security Response 2014
I would love to change the world, but they won’t give me the source code.
9
20% SENT PASSWORD IN CLEAR TEXT
Larger proportion of the top 100 health apps leaked activity data through HTTP
Some apps accepted self-signed certificates or don’t check revocation lists
POST http://api.******.com/Mobile/Functions.ashx?action=RegisterUser
FName:
ken
LName:
west
GoalWeight: 68
GET http://*****.***/api/createUser?
Email:
[email protected]
username=KenWest
Password:
P@SSw0rd
[email protected]
……
password=P@SSw0rd
POST http://******.*******.net/cgi-bin/account
password:
8EEFB875DB938CEC08299BE7AA709EE0
action:
create
email:
[email protected]
preflang:
de_CH
...
No need to crack
simply pass the hash
9
Symantec Security Response 2014
What happens if you get scared half to death twice?
10
ENUMERATE USER DATA
HTTP GET /api/getUser/877
[No authentication needed]
{"result":true,"data":{"id":"877","name":"Kenwest","email":"[email protected]",
"password":"705bf40d40cb2904b04294fbc355XXXX","role":"0","about":null,"s
Name
alt":"XgDLkaenP1","sex":"Male","age":null,"purpose":null,"coach_id":"1","heig
htfeet":null,"birthday":null,"heightinch":null,"startweight":null,"_currentweigh
Email
t":null,"targetweight":null,"_startbf":null,"_currentbf":null,"_targetbf":null,"_s
ystolic":null,"_diastolic":null,"neck":null,"_hips":null,"_waist":null,"forearm":n
Password
ull,"wrist":null,"imageurl":null,"photo":null,"thumbnail_65":null,"thumbnail_1
50":null,"nike_user":null,"nike_pwd":null,"nike_join":"0","face_uid":null,"provi
Birthday
Ideal for spammers
der":"0","timezone":"America\/Los_Angeles","fitbit_token":null,"fitbit_secret"
:null,"fitbit_join":"0","withings_token":null,"withings_secret":null,"withings_us
Photo
Email, context and
erid":"0","withings_join":"0","google_uid":null,"google_join":"0",
"facebook_access_token":null,"face_join":"0","first_run":"0","metric":"0","last
Fitbit_token
Social media accounts
_entry":null,"face_cache_last_update":null,"uuid":"d53fe2973d3ad4276a8aa5
aaae0730aXXXX74aeefd9cc446b80eb14391a6XXXX","friendly":0,"follow":0,"cu
Withings_token
rrentweight":"190","sexnumber":"1","percent_to_lose":100,"percent_to_bf_lo
se":100,"totalbudget":1650,"systolic_warning":"bar bar-warning",
Google_uid
"diastolic_warning":"bar
bar-warning","systolic":null,"diastolic":null,
"startavatar":"\/img\/male\/male_110","avatar":"\/img\/male\/male_190","p
Facebook_access_token
oints":0,"avgcalories":"108.71263885498047","avgminutes":"44.0000","avgwe
ight":"190","sumweekcalories":"Still working on weight
loss","level":"Newbie",“xxxxscore":0.60394444444444}}
10
Symantec Security Response 2014
If I agreed with you we’d both be wrong
11
OPEN REMAILER SCRIPT
POST http://www.***.com/members/community130204/sendmail.php
email:
[email protected]
subject: Daily Activity
message: Dear User,
You have 1 new private message. Please go to …
POST http://www.***.com/members/community130204/sendmail.php
email:
[email protected]
subject: Your Daily Spam
message: Dear User,
You have 1 new SPAM message. Please click here…
11
Symantec Security Response 2014
If brute force doesn’t solve your problems, then you aren’t using enough.
12
POSSIBLE IMPACT
• Account hijack
o The problem of password reuse
o Costs: Sign the user up for premium services, commitments, …
o Change the privacy settings
• Spam
o Enumerate user data to send spam with context
o Create dummy accounts & use profile page as spam landing pages
o Use socal media accounts to find friends and spam them
12
Symantec Security Response 2014
My software never has bugs. It just develops random features.
13
GET REWARDED
Who said you have to run yourself? Dog-sitter?
13
Symantec Security Response 2014
It’s true hard work never killed anybody, but I figure, why take the chance?
14
POSSIBLE IMPACT
• Loss of privacy
o Reveal personal details: Identity theft, profiling, extortion, …
o Reveal Location: Stalking, burglar, kidnapping, corporate misuse, …
• Loss of integrity
o Modify/inject data: Gain rewards, high scores, frustrate others ;-)
o Delete the account and history
o Brick/change the device through firmware updates
14
Symantec Security Response 2014
As far as we know, our computer has never had an undetected error
15
BLUETOOTH LOW ENERGY
aka Bluetooth SMART and BTLE part of BT 4.0 (2010)
• Different from classic Bluetooth
• Does frequency hopping but can still be sniffed
• Pairing has been broken (Mike Ryan)
”Bluetooth Smart (low energy) technology supports a
feature that reduces the ability to track a Bluetooth
device over a period of time by changing the address on
a frequent basis.”
Bluetooth.org
15
Symantec Security Response 2014
Some cause happiness wherever they go. Others whenever they go.
16
SCANNING
SCANNING WITH
WITH AA BLUEBERRY
BLUEBERRY PI!
PI
TOTAL PRICE
$75
4GB SD Card
$5
Raspberry pi
$35
Bluetooth 4.0
USB dongle
$7
Battery pack
$28
OUR BLUETOOTH TRACKER
Symantec Security Response 2014
Enter any 11-digit prime number to continue.
17
SCAN RESULTS FOR A MINI MARATHON
• The phone may reveal the real name associated with the device
• 30 from 563 devices had something like a person’s name
–
–
–
–
–
–
–
–
Rita :))
Darren!
Franks phone
Erica
Dawson
Alieen's mobile!!:)
Garret rip xxx
Big hairy bollo
45.0%
40.0%
35.0%
30.0%
25.0%
20.0%
15.0%
10.0%
5.0%
0.0%
A
Symantec Security Response 2014
B
C
D
E
F
G
H
I
17
WHO HAS ANY ARP JOKES?
18
SCANNING AT VB CONFERENCE
• 50 devices at the Westin Hotel
• 29 seen till noon, not everyone made it to the breakfast ;-)
30
25
20
15
10
5
0
Fitbit
Flex
Fitbit
One
Nike
Jawbone Fitbit Zip Galaxy
UP24
Gear
Polar
Fitbit
Force
18
Symantec Security Response 2014
I didn't say it was your fault, I said I was blaming you.
19
SCAN RESULTS FOR BLACKHAT EU/14
• 203 BTLE devices and 21 wearable fitness trackers seen
19
Symantec Security Response 2014
TTL jokes are short lived
20
SOME WANT THE DATA TO BE SEEN
Source: blog.everytrail.com
20
Symantec Security Response 2014
ASCII stupid question, get a stupid ANSI
21
SELF-TRACKING CAN BE RISKY
Your digital footprint will be everywhere!
23.56
KM
123
BPM
15.
8
52%
20%
14
Do not have a
privacy policy
Login
credentials in
clear text
Domains
contacted by
apps
Symantec Security Response 2014
An error? Impossible! My modem is error correcting
22
WHAT CAN USERS DO?
TURN OFF BLUETOOTH IF NOT REQUIRED
KEEP DEVICE/SOFTWARE/OS UPDATED
DON'T REUSE USERNAME/PASSWORDS
USE STRONG PASSWORDS
LOOK FOR A PRIVACY POLICY
CHECK EXCESSIVE INFORMATION GATHERING
SCREEN LOCK
DEVICE ENCRYPTION
SECURITY SOFTWARE
23.56
KM
123
BPM
15.
8
WHICH QUESTIONS ARE STILL OPEN ?
23
You can follow me on Twitter @mylaocoon
THANK YOU!
BLOG
http://bit.ly/1pgGefW
WHITEPAPER
http://bit.ly/1nGB4vw
TWITTER
@threatintel
WEB
http://www.symantec.com
Copyright © 2014 Symantec Corporation. All rights reserved.
24

Download Report