Last-minute paper: Attack points in health apps & wearable devices - how safe is your quantified self?

Thursday 25 September 16:00 - 16:30, Green room.

Candid Wüest Symantec

  download slides (PDF)

Each day, millions of people worldwide are recording every aspect of their lives in an activity known as self-tracking or quantified self, often using wearable devices. These people have various reasons for doing this, but are they thinking about the risk involved in this process? Given the amount of personal data that is generated, transmitted, and stored at various locations during self-tracking, we wanted to analyse how well this data is protected against attackers, since the quantified self involves more than just the personally identifiable information (PII) that we are used to.

With the upcoming HealthKit integration in Apple's iOS 8 and Google's Fit for Android, we expect to see another boost of wearable devices and health apps soon. Many welcome the idea of Apple and Google's fitness and health-tracking platforms, though it's unclear how quickly developers will adapt their applications to the new services. The platforms' central storage for personal fitness information could obviously be a very enticing target for attackers, who could develop malicious applications to try and steal this data.

In our recently completed research, we analysed the top health applications that are currently available for smartphones and found all sorts of worrying behaviour. Many apps are not following security best practice guidelines. For example, some apps submit passwords in clear text, transmit activity details over HTTP, allow for user enumeration, or store information insecurely. Other applications contact up to 14 different service providers, spreading personal information even further. To make matters worse, more than half of all of the apps did not have any privacy policy at all. These findings raise several questions: how much data is actually gathered? Who has access to this data? How securely is it stored?

We will also explain the different attack vectors and attack scenarios against wearable devices and their corresponding applications. We will provide concrete examples, such as how cybercriminals could misuse this information. For example, quantified-self devices could be a spammer's dream come true, as the devices allow the spammer to harvest complete user profiles with contact information and relevant contextual details.

Furthermore, we discovered that none of the analysed quantified-self sports bracelets implemented the full spectrum of available privacy functions. As a result, people using these activity trackers could be tracked without their knowledge by any unrelated third party. This raises concerning opportunities for stalkers or other attackers. We created a proof-of-concept Bluetooth low energy (BTLE) scanner based on a Raspberry Pi and performed tests in different European cities. We will discuss the recently completed scan results and show a demo of the device. When this tracking is combined with the leakage of personal identifiable information, the dream of the quantified self can quickly become a nightmare.

Candid Wüest

Candid Wüest

As a member of Symantec's global security response team, Candid Wüest analyses new security threats, formulates mitigation strategies and creates research reports on new emerging security trends - for example, threats to the Internet of Things. Wüest joined Symantec in 2003. For three years he worked as a virus analyst in Symantec's anti-malware laboratory in Dublin, Ireland, where he spent his time analysing malware and creating signatures. Prior to that, he was a member of the global security analysing lab of IBM Research in Rüschlikon, Switzerland. Wüest holds a Master's degree in computer science from the Swiss Federal Institute of Technology (ETH) and various other certifications. He has published several whitepapers and has been featured as a security expert in various media. He is also a frequent speaker at security-related conferences including Area41, BlackHat and RSA. He learned coding and the English language on a Commodore 64.

@mylaocoon



twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png