Sniffing and Tracking Wearable Tech and Smartphones

An anonymous reader writes: Senior researcher Scott Lester at Context Information Security has shown how someone can easily monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, fitness monitors, and iBeacons. The findings have raised concerns about the privacy and confidentiality wearable devices may provide. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott says. “Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 meters in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.” The researchers have even developed an Android app that scans, detects and logs wearable devices.

Sniffing wearable tech

[rossdee]

whatever turns you on I suppose

Re:

[Culture20]

"By the way, try washing your wrist sometime." --Leela's wrist thingamajig

Minority Report

[Anonymous Coward]

This reminds me of the Minority Report scene [youtube.com], where people could easily be tracked by their eyes being scanned and the annoying part of it I always thought was the loud mouthed advertising, with the ads giving out your name and what you bought yesterday.

"Hi there, Jane, how are you enjoying those extra absorbent tampons you bought last week, is everything ok? Need some new underwear?"

As to tracking for your own legal purposes, there are many services designed for that. [trackensure.com] Any technology can be abused, the qu

Re:

[ArcadeMan]

What the DS9 episode where she gets stuck in the turbolift with Odo, that should change your mind.

Re:

[TWX]

Uh, because then the computer voice would have to change?

Re:

[MobileTatsu-NJG]

Boy did you miss the point of her character.

Re:

[MobileTatsu-NJG]

That's all fine and good, but you did miss the point of her character. Your first post proved it and your ignorant reply cemented it. Nobody said anything about you having to like her.

Have a nice day.

In the Sticks

[pubwvj]

I fee sooo left out way out here in the sticks where I'm not getting my Bluetooth sniffed, or anything else except by the local wild and semi-wild fauna.

Not.

Seriously not. Adds one more reason to my list not to go down off the mountain...

Re:

[Whiteox]

Fine. Be that way. I for one never go outside because strange things happen when I go outside.

Really?

[Frosty Piss]

The findings have raised concerns about the privacy and confidentiality wearable devices may provide.

Who ever suggested that there was any "privacy and confidentiality" of wearable devices that use Bluetooth? Who would even think such a thing? We're not talking about encrypted communications devices here...

Re:Really?

[TWX]

I'm guessing that most people think that they're secure in their privacy unless they're forced into a confrontation that proves they aren't. Look at all of the corporate officers that get busted with e-mail and text messages that document their white-collar crimes. Those people are supposed to be pretty smart and even they still don't understand how the technology or the law actually work.

Re:

[AmiMoJo]

Who would even think such a thing?

Ordinary people assume that when something is "connected" to their phone, it is connected in the same way that a cable connects things or they are connected to secure wifi with a password. The fact that you usually need to use a PIN number to pair Bluetooth devices further adds to to illusion that it is secure, because PINs are for security.

Engineers have to accept responsibility here. We have to make things secure by default, and respect privacy. Users don't appreciate the somewhat subtle differences betwe

Kinda neat for sign-in sign-out systems

[Brulath]

Broader privacy implications aside, it's actually kind of neat to be wearing a device which can identify when you're in a particular space and how long for. We have a volunteer tech group working on projects at our local museum and one of the guys implemented a fitbit scanner to identify when people were present and how long for (which is useful, as bureaucracy dictates we sign in/out for fire and visitor-tracking reasons). Every few minutes it broadcasts a request for fitbits, and all those within range respond. They return a mac which can be linked back to a fitbit account, if the user has authorised us to access it, which makes it a bit easier to identify the person who owns the fitbit. We could probably replace it with another sign in system, but passive is kind of neat when you want it.

I assume resolving the identifying problem wouldn't be as easy as using a random mac?

Re:

[TWX]

Changing a MAC once won't do any good, as once the new MAC is learned, if it's seen again then it'll be recognized again.

Re:

[fuzzyfuzzyfungus]

Value judgements have their place; but leaping to them tends to involve jumping over a host of important factors.

The point isn't about who you blame, it's the fact that the capability has gotten a whole lot easier and cheaper.

I installed it ...

[CaptainDork]

... and it does nothing.

Re:

[zlives]

it updates your location to their servers right away... its not suppose to do anything else, you have now been tagged as one of the people to be interrogated later by 3 letter agency of your choice because you clearly were trying to hack something.... i think that's how it goes :)

Big Deal

[PopeRatzo]

"Sniffing and tracking"? My seven year old beagle does those things and has much longer battery life.

Call me when you're bluetooth device can fetch a tennis ball.

Re:

[fuzzyfuzzyfungus]

Unfortunately, despite not being iBeagle, you will find your beagle's battery...difficult to user service...when depleted. Also problematic to restore from backup.

Re:

[PopeRatzo]

you will find your beagle's battery...difficult to user service...when depleted.

A few doggie treats and a quick nap on the porch is all the user service she needs.

Let's gt to the extreme.

[Ateocinico]

Saturate your body with sensors. A bluetooth connection for every hair in your ears, nose and butt. Wifi for each of your liver's lobes, flow sensor in your intestines, strain gauges glued to your nails, ears and eyelids, a nanomagnetometer for every neuron, tile the inner wall of your small intestine with enzyme chips, etc, etc. If enough people follows that trend, soon the data flow is going to surpass any available computing power to process it. An being fashionable in the process, the real concern of m

Re:

[ihtoit]

the Internet of Everything starts with everything else and ends with permanent and persistent tracking of humans from the second their skin hits air to the second they expire. You have two choices here: accept the inevitability of this march to not only total information awareness but total corporate control over that information and total monetisation of that information entirely at your expense, or simply say "NO, I WILL NOT BE WIRED, TRACKED, NUMBERED, SERIALISED, SOLD, COMMODITISED OR ELECTRONICALLY CON

Re:

[zlives]

control of information is necessitated by our want of privacy... if we don't care about privacy, there is no need for control. freely available total information awareness, thus, as a goal would actually set us on the path away from "total monetisation".

Re:

[ihtoit]

TIA doesn't mean what I think you think it means. It's not personal knowledge of what information about you is going where, it's about the fact that every single little facet of your life, right down to how runny your shit is, is/will be being recorded and made money on for somebody else. That somebody else controls YOUR information. You don't even KNOW what and how much information about you is being gathered every second of every day and where it is going. Even trying to opt out of the system is informati

The made-for-TV-movie...

[fuzzyfuzzyfungus]

While they are admittedly a staple of low-budget action shlock; it seems that the 'celebrities, politicians, and high level business executives'(none of those midlevel guys, do you know what a kidnapping costs, per kilogram of hostage?) would be the least relevant targets for this flavor of attack.

Fancy prominent people are valuable, strategically relevant, or have deranged and dangerous fans. Such people have merited considerable human effort on the part of assorted attackers more or less since the inve

Wrong!!

[ultranerdz]

Bluetooth 4.1 adds Randomised private resolvable addresses. This allows only bonded devices to be tracked this way.

Re:

[gl4ss]

this is really "news" from 2000.

furthermore, iBeacons and such are used exclusively for the purpose of creating a beacon..

HIPPA

[sunderland56]

Isn't leaking personally identifiable health information a violation of HIPPA [wikipedia.org]?

Re:

[swillden]

It's HIPAA, not HIPPA.

Re:

[cmseagle]

What protected health information is being leaked? You can identify a device and then maybe tie that device to an individual, but you aren't gaining access to any of their sensitive data.

Re:

[ihtoit]

you don't use Bluetooth which works on the same 2.4GHz band as wifi, but you'll use wifi which works on the same 2.4GHz band as Bluetooth.

Sounds legit.

(for myself, I tend not to use anything which radiates for a return signal these days, instead preferring to trail a 50m cable around the house for internet access and the phone is either wired landline or wired headset for the cellphone which I don't carry on me anyway, and when it is in use it sits on the desk. I consider Bluetooth to be such a serious secu

Wow

[nospam007]

"...identify and locate a particular device – that may belong to a celebrity, politician or..."

IOW a wet dream for paparazzi.

Re:

[Muad'Dave]

That app and website already exists. I don't remember what the app is right now (it's on the Android Store), but there's an app there that receives and uploads all MACs seen + GPS info + some BLE service info.

I only use pre-BLE - security & reliability.

[allquixotic]

The latest wave of BLE / "Bluetooth Smart" devices, everything from headphones to keyboards to fitness bands, are a joke. Not only is the connection reliability *terrible*, but a paper describing a method of attack the protocol has been out for a while now.

My suggestion, and what I currently do, is refuse to buy any product that advertises that it supports or uses Bluetooth Low Energy or Bluetooth Smart or Bluetooth 4.0. Anything similar to that in the marketing literature or tech specs, and I pass it by. B