Fitness trackers could pose stalking risk
Fitness trackers and other wearables could allow users to be identified and followed without their knowledge.
Research carried out by Symantec has shown that devices that use Bluetooth LE broadcast their unique hardware address, which is similar to a MAC address, even when they are seemingly offline.
In a report named “How safe is your quantified self?” (PDF), the researchers show how they were able to build a scanner to pick up these signals for only $75.
People wear these things all the time, so you are walking around constantly broadcasting your presence
Named the “Blueberry Pi”, as it is built on a Raspberry Pi board with a Bluetooth 4 USB dongle attached, the mini computer was able to pick up the hardware addresses from passers-by’s wearables without their knowledge, providing they were within 100m.
During the tests, which the company ran in Dublin city centre and a number of public transport hubs in Zurich, the researchers were also able to pick up mobile phones and tablets broadcasting in the same way.
In a separate test, the researchers set up a number of Blueberry Pis along the route of a “major European run” and track the progress of individual runners as they went past through their fitness monitors.
Symantec’s researchers suggest this type of secret data harvesting could be used by burglars to determine if there is anyone in a house they wish to target.
It could also be used by stalkers who, once they have established the hardware address of their target – which can be made easier if the owner has named their device after themselves – could follow their victim more easily.
Similar fears about burglary were raised when Google Street View first appeared.
However, Orla Cox, a security operations manager with Symantec, told PC Pro in many ways this information is more useful to would-be stalkers and other criminals.
“Google Street View is a snapshot in time – these trackers provide real-time data. People wear these things all the time, so you are walking around constantly broadcasting your presence,” she said.
While this type of attack hasn’t yet been reported in the wild, last year a marketing company set up “smart bins” to track the movements of shoppers in London. These bins followed their owners’ smartphones, which were broadcasting their MAC address when their Wi-Fi was turned on.
“While this is theoretical, there’s no barrier to people doing this. The Blueberry Pi’s components are easy and cheap to buy, and it’s not very hard to set up,” she said.
Extra tool for stalking
Polly Neate, CEO of domestic violence charity Women’s Aid, told PC Pro: “This isn’t surprising. It’s a natural extension of what’s going on already in terms of perpetrators using technology to extend their control, and it does give an extra tool for stalking.”
Cox said that manufacturers of wearables could eliminate this risk for users by providing them with an option to turn off this broadcasting mechanism, which, in the majority of cases, is not currently possible.
“The ‘quantified self’ is a relatively new phenomenon and it’s possible that security isn’t as much of a consideration for some of these application and device developers – they’re just thinking of convenience. We would like to see that change,” she concluded.