How secure is the data that pass by our wearable to the associated device? Very little, at least according to the findings from a study conducted by the Citizen Lab at the University of Toronto in collaboration with Open Effect, Canadian group to defend the privacy of the citizen. On the test bench eight predominantly wearable devices dedicated to tracking the daily activity: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone UP 2 My Fuse, Withing Pulse O2 and Xiaomi Mi Band.
These devices are normally paired with a smartphone via Bluetooth short range. The wearable "announce" its presence so that the smartphone can abbinarsi, communicate and synchronize later. The dell ' "announcement" packages consist of some information, including the MAC address (a unique address tied to the Bluetooth module) dell'indossabile. If not adequately protected, this information may allow the tracking of the wearable device and, accordingly, the user tracking.
The study noted that none of the tested devices, except for Apple Watch, makes use of Bluetooth LE LE Privacy feature that takes care to protect the MAC address with an operation of periodic randomization: at predetermined intervals transmits a MAC address different (virtual, what unique does not change) so as to make it extremely difficult for third-party devices, being able to track the device.
The randomization of the MAC address is an intrinsic feature of Bluetooth LE, but Apple only between devices tested uses it. If a device is not paired with a smartphone, it becomes quite easy to trace the user, since the same MAC address would be announced periodically. According to the study this problem is due to the excessive fragmentation of the Android environment. The study authors said they had not received any meaningful response from manufacturers, only Basis noted that the use of the Peak not accompanied by a smartphone is an extreme case and that, for this reason, has not ensured to be working to a resolution of the problem.
Within the search is also reported as some of the management applications of these devices, in particular on the Android platform, they are not safe. The study has identified as at least two of the devices does not use the HTTPS protocol for transmission of data, thus leaving open the possibility of man-in-the-middle and, ultimately, to affect the recording of data. If the danger may seem low amount but it is good to note that the tracking of daily data have recently been used as evidence in various legal proceedings, relying on them as a possible indicator of a person's activities in a given moment in time.
These devices are normally paired with a smartphone via Bluetooth short range. The wearable "announce" its presence so that the smartphone can abbinarsi, communicate and synchronize later. The dell ' "announcement" packages consist of some information, including the MAC address (a unique address tied to the Bluetooth module) dell'indossabile. If not adequately protected, this information may allow the tracking of the wearable device and, accordingly, the user tracking.
The study noted that none of the tested devices, except for Apple Watch, makes use of Bluetooth LE LE Privacy feature that takes care to protect the MAC address with an operation of periodic randomization: at predetermined intervals transmits a MAC address different (virtual, what unique does not change) so as to make it extremely difficult for third-party devices, being able to track the device.
The randomization of the MAC address is an intrinsic feature of Bluetooth LE, but Apple only between devices tested uses it. If a device is not paired with a smartphone, it becomes quite easy to trace the user, since the same MAC address would be announced periodically. According to the study this problem is due to the excessive fragmentation of the Android environment. The study authors said they had not received any meaningful response from manufacturers, only Basis noted that the use of the Peak not accompanied by a smartphone is an extreme case and that, for this reason, has not ensured to be working to a resolution of the problem.
Within the search is also reported as some of the management applications of these devices, in particular on the Android platform, they are not safe. The study has identified as at least two of the devices does not use the HTTPS protocol for transmission of data, thus leaving open the possibility of man-in-the-middle and, ultimately, to affect the recording of data. If the danger may seem low amount but it is good to note that the tracking of daily data have recently been used as evidence in various legal proceedings, relying on them as a possible indicator of a person's activities in a given moment in time.
Comments
Post a Comment