VB2014 video: Attack points in health apps & wearable devices - how safe is your quantified self?

Posted by   Virus Bulletin on   Nov 7, 2014

Health apps and wearable devices found to make many basic security mistakes.

"I know a lot of you have a Fitbit device."

The geeks attending VB conferences tend to like their gadgets, and many of them have the latest ones, so the claim made by Candid Wüest at the beginning of his VB2014 last-minute presentation 'Attack points in health apps & wearable devices - how safe is your quantified self?' was bound to be accurate. But the Symantec researcher really did know how many delegates were sporting such a device.

Fitness devices and health apps have become very popular in recent years, and they certainly demonstrate the potential of modern technology. Unfortunately, in many cases, security and privacy had not been given serious consideration during development.

This will not come as a surprise anyone to who has looked at the security of mobile apps. Yet, because these apps are designed to measure things we really want to keep to ourselves, such as our health or our exact location, this is a rather serious issue.

In the best cases, apps sent data over an HTTPS connection that didn't check for revoked certificates, but in many other cases, no encryption was used at all. In some cases, the data in the cloud itself wasn't protected either, making personal information easily accessible for even the most novice attacker.

And it isn't just the connection to the cloud that users have to worry about. Candid created a $75 "Blueberry pi" device, based on a Raspberry Pi and a Bluetooth USB dongle, that allowed him to track people wearing a fitness device. He had used this device to track runners during a mini-marathon in Dublin, but also to track delegates during VB2014.

He finished his presentation with a shout out to I Am The Cavalry, the grassroots organisation that focuses on making medical devices, automobiles, home electronics and public infrastructure more secure. Candid's presentation (a variation of which he later delivered at Black Hat Europe) showed that the organisation still has a lot of work to do.

Because this was one of the event's 'last-minute' presentations, there was no written paper for us to publish. We have, however, uploaded the video to our YouTube channel. You can download the presentation slides here.

Posted on 07 November 2014 by Martijn Grooten


Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.