back to article Your fitness tracker is a SNITCH says Symantec

If you're the kind of person whose gadgets auto-tweet your exercise, sex or sleep habits – all vanguard applications of the odiously-named “quantified self” movement – you can be tracked, identified and hacked, according to Symantec. In this post, the security outfit explains that the age-old desire for gadget convenience has …

  1. dan1980

    And no one could possibly be surprised by this.

    Those little trackers are a great idea and one can easily see them doing what so many other exercise gadgets fail to, which is to motivate people to exercise more.

    The unfortunate truth - as with the glut of Internet-connected devices in the home - is that manufacturers just don't care about their users' privacy. Self-regulation doesn't work; never has. You can't rely on companies to keep their customers best interests at heart because that's not the way companies work. The only way to fix this perennial problem is to legislate and impose real penalties when companies don't respect their customers' privacy.

    Of course, the core problem is that privacy is just not respected. Unfortunately, that extends to our government, so it's pointless hoping that they would implement any regulations to protect it.

    One way to approach the problem is to say that any device that transmits or stores identifiable information in an insecure manner is unfit for purpose. I actually think that is quite a reasonable approach as these devices are sold on the merits of them exchanging data with personal devices and cloud services - most of them don't even have a display. Given that's the selling point, I find it reasonable to expect that that feature is implemented to a high standard, which demands security.

    1. Anonymous Coward
      Anonymous Coward

      Modern intelligence is highly overrated

      "And no one could possibly be surprised by this."

      Exactly!

      What does this prove? Get ready for the dystopian future: People are stupid

      If I post my every move to Facebook, nobody could possibly keep track! If I use my credit card to charge every $3 latte that I drink, nobody could possibly keep track! If I hook myself up to a biometric collecting device that also connects to the internet, nobody could possibly keep track!

      "The unfortunate truth - as with the glut of Internet-connected devices in the home - is that manufacturers just don't care about their users' privacy."

      Here's the New Flash of truth and reality: When connected to a network, there is no such thing as privacy. Back in the era of WinNT3,51, that OS was actually rated for the highest governmental security rating...as long as it wasn't connected to any outside network.

      There's a lesson in that. There is, fundamentally, no security when devices are interconnected. Doesn't exist. People want to forget, ignore or dismiss that fact, but it has never, ever changed. Anything, everything, accessible to the outside world can be hacked. There is no such thing as the "unhackable" computer if it is connected to an outside network.

      Eh, why do I bother wondering, or caring, how much people will lose as they give their lives, their info, away to someone else for their bit of convenience? It's their heads, after all.

      1. dan1980

        Re: Modern intelligence is highly overrated

        @AC

        It's not about things being un-crackable. As I tell people, if someone wants to get access to your data or your system badly enough then you can't really stop them.

        For the average person, it's just about it being difficult enough to protect yourself from casual intrusions. If someone wants to track you - and specifically you - through your fitness tracker then they will. But then, if you're someone who warrants that kind of attention then you probably wouldn't be using one of these things anyway.

        No one truly expects hardened, state-secret-level, security on a Bluetooth fitness bangle, but I think it's reasonable to expect that the data that you send back and forward would secured enough that you couldn't defeat it with an off-the-shelf single-board PC and some scripting.

        Like I said - 'fit for purpose'. The data isn't super sensitive and you have the option to wear the device or not - you don't have to keep it on 24/7. For the purpose it is there for, a moderate level of encryption and security-mindedness is warranted and should be expected.

      2. Caesarius
        Terminator

        When it really matters:

        "No connection, no breach"

    2. BillG
      Holmes

      " lack of privacy" is the new nicotine.

  2. Anonymous Coward
    Happy

    How does this work?

    I mean the part about tracking sexual activity? Is a button pushed? (on the phone I mean...)

    Or is the phone strapped to the arm and then detects frequent acceleration while in a prone position?

    Or.. is there a way for the app to accurately detect pleasurable moans and groans?

    Inquiring minds want to know!

    1. dan1980

      Re: How does this work?

      The tracker is a bracelet - usually - that either communicates directly with your phone or downloads to it via USB or Bluetooth. If you're wearing the bracelet, it will track your movements. With enough data from enough people, you can build a pattern and match it.

    2. frank ly

      Re: How does this work?

      " ... is the phone strapped to the arm ..."

      I was going to make a comment about your 'assumption', suggesting alternatives, but I realised that I'd be revealing highly personal information if I did that.

      1. 's water music

        Re: How does this work?

        " ... is the phone strapped to the arm ..."

        I was going to make a comment about your 'assumption', suggesting alternatives

        Yeah, supine seems more likely than prone. No need to detect a second party either

  3. Anonymous Coward
    Anonymous Coward

    This is news?

    If anyone who works in IT thinks that somewhere out on the Internet a direct relationship between

    Your Phone(s)

    Your Credit Card(s)

    Your Store Card(s)

    Your Car

    Your wearable device(s)

    Don't exist and furthermore that that relationship won't be used against you in some form is IMHO, barking mad.

    Perhaps they might like to go back to living on that Desert Island.

    you connect things up and somewhere a system (or systems) will detect that relationship and store it forever. In most cases it won't be used for anything other than Advertising (not on my dumb Nokia they won't) but there will soon be other more sinister and criminal linking of your data. The Nigerian 419'ers are moving onto new ways to extract money from you. All this data presents a rish source of target data that if I were are 419'er then I would find if hard to ignore.

    1. Robert Helpmann??
      Childcatcher

      Re: This is news?

      The Nigerian 419'ers are moving onto new ways to extract money from you

      Yes, but they will continue to target the least educated and tech savvy. In fact, the way their scams work weed out anyone with a clue. That is not to say that there aren't many individuals and groups out there willing to take advantage just as you suggest, just that there are different "target audiences" for each kind of scam.

    2. Anonymous Coward
      Anonymous Coward

      Re: This is news?

      I work in IT, I won't use store cards, credit cards or wearable devices. I pay for most things with cash where possible, and regularly change my unregistered Oyster card. I won't register for Facebook, Twitter, or any of those sorts of data mining operations. My non IT friends think I'm mad - probably half right!

  4. Anonymous Coward
    Anonymous Coward

    This is worth reading

    http://www.bbc.co.uk/news/technology-28582479

    Your new Washing machine/Fridge/Coffe maker is the new spy in the house.

    you have been warned. Connect them up at your peril.

  5. Anonymous Coward
    Anonymous Coward

    Internet of Things again. Unless it connects to a private machine and ONLY a private machine to aggregate your data/make shiny graphs/whatever then you can pretty well guarantee that it isn't secure and is leaking. Almost certainly to the manufacturer; quite probably to a bunch of ad agencies; and the chances are good -bordering on certainty- that it isn't hard to hack.

  6. Anonymous Coward
    Stop

    Still struggling....

    ...to see why I need my washing machine, dishwasher or fridge on the internet.

    Will the washing machine empty out the last load and then put in the next load. Nope.

    Will the dish washer take out the clean plates, put them away and then load the next batch.

    Nope

    Oh wait what's that my fridge will notice I'm out of milk and order it for me. Fantastic, a £5.95 litre of milk, oh whoops now I have extra, because having more than one brain cell I noticed I was low on milk and picked some up on the way home.

    The Age Of The Internet Of Things - When humanity gave up thinking for itself and became a spoon fed blob of lard in the corner of the room.

  7. baseh

    In my opinion, most if not all the people who record and share their activities are extroverts and w a n t the whole world to know about them and what they are doing.

    So IMHO the bad security is not a problem for them so why invest in security and privacy?

  8. baseh

    Is that an issue for the target users?

    IMHO it is not a problem.

    I would think that most, if not all, those that record and share their activities

    are anyway extroverts that w a n t the whole world to know.

  9. This post has been deleted by its author

  10. Anonymous Blowhard

    This could be extremely dangerous!

    e.g. your partner is away for a week and your Sexometer (tm) is registering you as 1.2 orgasms per day for that period.

    Think of the rabbits!

    1. Anonymous Coward
      Anonymous Coward

      Re: This could be extremely dangerous!

      hmm from the other angle, if the program uses clear text then i can probably spoof your sexometer (tm) account and soon you'll be getting none...

  11. David Roberts

    Pi a red herring?

    Seen this reported elswhere as well.

    As far as I can see they built a blue tooth receiver using bits and pieces.

    Nearly all mobile phones have bluetooth and smart mobiles can support scripting and you can write apps for them.

    Or use a laptop with optional dongle if the BT chip isn't modern.

    So what was the point of using a Pi?

    Just to make the point that you didn't need masses of sophisticated spying equipment?

    Or just because building something using a Pi sounds geekier and sexier than saying you wrote a Perl script for your Linux laptop? Or wrote an app for your Android phone or tablet?

  12. Salts

    About the same as this then

    http://traffic.integreen-life.bz.it/wiki/prototype

    or this

    http://www.forbes.com/sites/andygreenberg/2013/07/26/hackers-tiny-spy-computers-aim-to-track-targets-around-entire-neighborhoods-and-cities/

    Symantec does seem a tadge behind the curve.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like