Bluetooth and other methods of hacking handcuffs

    In the past year, one of the main booms in the IT industry was gadgets, which in Russian are best called “wrist”. On the one hand, pedometers and other sensors of personal physical activity are increasingly being made in the form of bracelets - such, for example, is the evolution of the popular Fitbit tracker. On the other hand, the old guard also joined the fight for human wrists, releasing smart watches: here are Android Wear, and Apple Watch, and Microsoft Band. Today we’ll talk about some of the dangers of this mod. No, we are not against a healthy lifestyle. We even support the idea that January 1 is better not to overeat salads in front of the TV, but instead take part in one of the New Year’s races

    image

    . However, many will go to such races or trainings with fashionable fitness bracelets and other trackers. Authors of advertising articles touting this jewelry usually don’t ask themselves questions like “how to enter a password here?” Or “where is the switch here?”. Meanwhile, these issues reveal a whole bunch of security problems that are brought about by the miniaturization of wrist computers.

    Let's start with the classics. In 2013, a team of specialists from the University of Florida publishedDescription of a number of vulnerabilities of the popular Fitbit pedometer. True, they examined the old (by today's standards) Fitbit Ultra model, in which the wearable sensor communicates with its base via the ANT wireless protocol; the database is connected via USB to the desktop or laptop, where the collected data about user activity falls into a special application that sends data via the Internet to the cloud storage (a kind of social network for phytophytes).

    Researchers have found that virtually all links in this chain are not protected. In particular, the Fitbit client application sends the user login and password in clear text to the site, the rest of the data exchange with the server occurs via the open HTTP protocol. And using a fake USB base for wireless communication, you can intercept user data from trackers within a radius of several meters, and even change this data either on the trackers themselves or in the accounts on the server: for example, 12 million extra steps were sent to one user.

    As a solution to the problem, the authors of the study recommended using encryption that protects the connection of each specific tracker with its Internet account. True, it was recognized that encryption would increase the load on the tracker and other devices in the circuit.

    New Fitbit models use Bluetooth for wireless. This allowed Symantec security professionals to criticize a host of “wellness bracelets” running on this protocol. In the summer of 2014, they assembled several Bluetooth scanners based on Raspberry Pi mini-computers (each gadget in the end cost only $ 75) and placed them in Dublin and Zurich. The scanners were placed in the venues of sporting events, separately studied business centers and transport hubs.

    image

    In total, 563 trackers of various brands were “caught” during the experiment, including Fitbit Flex bracelets (it turned out to be the most popular), Jawbone, Nike FuelBand and Polar sports watches. According to the report, the scan made it possible to intercept not only unique identifiers of devices and transmitted personal data, but also other information that allows identifying owners - for example, the user name of the device, often matching the name of the owner.

    Thus, third parties can also monitor the user's movements, as well as his health, without his knowledge. And not only during training: many wrist trackers simply do not allow you to turn off Bluetooth working around the clock (unless you will remove the battery from the tracker each time). This means that potential burglars can find out if you are in the apartment. Or even how fast you sleep at the moment.

    In addition, as notedResearchers, in none of the trackers tracked the data transfer was encrypted. Perhaps manufacturers in this way simply save battery power. True, in other cases they do not save: the same study revealed that each fitness application, usually used in conjunction with a tracker, transfers user data on average to 5 different servers; It often happens that an application associates with more than 10 different Internet addresses. That is, in addition to its own server for this tracker, user information is transmitted to a number of other companies.

    Symantec experts also found that 52% of tracker applications do not disclose their privacy policies to users at all. And most of the others, showing such a policy, usually get off with general phrases such as “your data is protected” instead of specific answers: what kind of data is collected? where and how long are they stored? to whom are they transmitted? how can the user control this data?

    But back to encryption: Bluetooth fully allows such protection. However, there are possible security issues. In early December 2014, Liviu Arsene of Bitdefender announcedthat can read messages that are transmitted to the Samsung Gear Live smart watch from a user’s smartphone, in this case Google Nexus 4. To do this, you only need to find out the six-digit pin code that is entered during the first “pairing” of devices via Bluetooth. According to the researcher, the pin code can be found by a simple brute force, after which you can read user SMS, Google Hangouts chats and other private messages that are sent to the watch.

    True, this statement was controversial and caused a number of clarifications about the need for additional conditions. However, the researcher insists that combat exploits will soon appear that bypass Android Wear protection.

    image

    How can you help here? Both Symantec and Bitdefender again call security measures, which conflict with the very miniaturization of gadgets.

    For example, it is proposed to use additional encryption - or at least just enable the encryption that is already available for this type of communication (Bluetooth). However, as noted above, this slows down the processor and puts in batteries that are already small.

    Do you need to get a strong long password at every session? But this requires an input device, and not just a beautiful strap (unless the strap learns to recognize fingerprints ... which, however, are also fake ).

    You can use NFC technology for communication, which has a smaller range, which complicates the interception. But this makes the device more expensive, and holes have already been found in this technology .

    And finally, you can once again advise users to turn off wireless communications when there is no need for it - if only on your bracelet there is such a switch.

    In general, the security situation of wrist wireless gadgets in the new year is unlikely to improve. It is possible that even there will be a retro mode for wired connections (for example, through a headphone jack ). In the end, no one had died yet because the number of his steps flew from one device to another a couple of hours later.

    But by the way, about dying. If you watched the series Homeland, there was an episode in the second season when terrorists knocked out the US Vice President through a wireless-controlled portable defibrillator. Some considered this a cinematic fiction. However, in the spring of 2014, Wired magazine published the results of a study by Scott Erwin, who tested medical equipment in hundreds of American clinics. During the tests , defibrillators were really found that can be controlled using the default password for the Bluetooth connection. Former US Vice President Dick Cheney had a similar defibrillator with wireless access, but in 2007 this feature was disabled for security reasons.

    image

    This story tells the general direction in which the problems with the safety of fitness bracelets will develop. So far, these devices are basically just a fetish, that is, a fashionable, but not very useful toy - therefore, few people care about their protection now. Another thing is when they will be serious about health, turning into something like a personal medical record . Then more serious safety standards will appear , and users and the state will more actively demand manufacturers to comply with these standards. True, the peculiarity of the situation is that the technological foundations of these wearable devices - together with their vulnerabilities - are being laid now, in the current "non-hazardous" jewelry. Correcting them later will be much harder.

    Author: Alexey Andreev, Positive Technologies

    Also popular now: