Bluetooth and other ways to hack handcuffs
In the past year, one of the main booms of the IT industry has become gadgets, which in Russian are best described as “wrist”. On the one hand, pedometers and other sensors of personal physical activity are increasingly being made in the form of bracelets - such is, for example, the evolution of the popular tracker Fitbit. On the other hand, the old guard also joined in the fight for human wrists, releasing smart watches: here and Android Wear, and Apple Watch, and Microsoft Band. Today we will talk about some of the dangers of this fashion.
No, we are not at all against a healthy lifestyle. We even support the idea that on January 1, it is better not to overeat salads in front of the TV, but instead take part in one of the New Year races . However, many will go to such races or workouts with fashionable fitness bracelets and other trackers. Authors advertising articles praising this jewelry, usually do not ask questions like "how to type the password here?" Or "where is the switch?". Meanwhile, these questions reveal a whole heap of security problems that miniaturization of wrist computers carries.
')
Let's start with the classics. In 2013, a group of specialists from the University of Florida published a description of a number of vulnerabilities in the popular Fitbit pedometer. True, they investigated the old (by today's standards) model Fitbit Ultra, in which a wearable sensor communicates with its base via the wireless ANT protocol; the base is connected via USB to the desktop or laptop, there the collected data on user activity gets into a special application that sends data via the Internet to the cloud storage (a kind of social network for fitbitophiles).
Researchers found that virtually all links in this chain are not protected. In particular, the Fitbit client application sends a username and password in clear text to the site, the rest of the data is exchanged with the server using the open HTTP protocol. And using fake USB-base for wireless communication, you can intercept user data from trackers within a radius of several meters, and even change this data - either on the trackers themselves, or in accounts on the server: for example, 12 million extra steps were clocked by one user.
As a solution to the problem, the authors of the study recommended using encryption to protect the connection of each particular tracker with its Internet account. True, it was recognized that encryption will increase the load on the tracker and other devices in the chain.
The new Fitbit models for wireless use Bluetooth. This allowed security experts from Symantec to criticize a whole host of “health bracelets” working on this protocol. In the summer of 2014, they collected several Bluetooth scanners based on Raspberry Pi mini computers (each gadget ended up costing only $ 75) and placed them in Dublin and Zurich. Scanners were placed in sporting venues, separately studied business centers and transportation hubs.
In total, during the experiment, 563 trackers of different brands were caught, including Fitbit Flex bracelets (it turned out to be the most popular), Jawbone, Nike FuelBand and Polar sports watches. According to the report , the scan made it possible to intercept not only the unique identifiers of devices and transmitted personal data, but also other information that allows identifying the owners - for example, the user name of the device, which often coincides with the name of the owner.
Thus, third parties can follow the movements of the user, as well as his health, without his knowledge. And not only during trainings: many wrist trackers simply do not allow you to turn off the 24-hour Bluetooth (unless you take the battery out of the tracker every time). This means that potential robbers can find out if you are in the apartment. Or even how hard you sleep at the moment.
In addition, as noted by the researchers, in none of the trackers tracked data transfer was not encrypted. Perhaps the manufacturers thus simply save battery power. However, in other cases they do not save: the same study revealed that each fitness application, usually used in conjunction with a tracker, transmits user data on average to 5 different servers; It often happens that the application communicates with more than 10 different Internet addresses. That is, in addition to its own server for this tracker, user information is transmitted to a number of other companies.
Symantec experts also found that 52% of tracker applications did not disclose their personal data security policy to the user at all. And most of the others, showing such a policy, usually get rid of general phrases like “your data is protected” instead of specific answers: what kind of data is collected? where and how long are they stored? to whom are they being transmitted? How can the user control this data?
But back to encryption: Bluetooth fully allows such protection. However, there may be problems with security. At the beginning of December 2014, Liviu Arsene from Bitdefender said that he could read messages sent to the Samsung Gear Live smart watches from a custom smartphone, in this case Google Nexus 4. To do this, just find out the six-digit pin code that is entered when you first "Pairing" devices via Bluetooth. According to the researcher, the pin-code can be found simply by searching (brute force), after which you can read custom SMS, Google Hangouts chats and other private messages that are sent to the clock.
True, this statement proved controversial and caused a number of clarifications on the need for additional conditions. However, the researcher insists that combat exploits will soon appear that bypass the Android Wear protection.
What can I do to help? Both Symantec and Bitdefender reiterate the security measures that conflict with the miniaturization of gadgets.
For example, it is proposed to use additional encryption - or at least just to enable the encryption that is already available for this type of connection (Bluetooth). However, as noted above, this slows down the processor and puts the batteries, which are so small.
Type in each session a strong long password? But this requires an input device, and not just a beautiful strap (unless the strap learns to recognize fingerprints ... which, by the way, are also forged ).
You can use NFC technology for communication, which has a smaller range, which complicates interception. But this makes the device more expensive, and holes have already been found in this technology.
And finally, you can once again advise users to turn off the wireless connection when there is no need for it - if only your switch has such a switch on your bracelet.
In general, the security situation of wrist wireless gadgets in the new year is unlikely to improve. It is possible that there will even be a retro fashion for wired connections (for example, through the headphone jack ). In the end, no one was dying yet because the number of his steps flew from one device to another a couple of hours later.
But by the way, about dying. If you watched the TV series “Homeland” - there was an episode in the second season when terrorists knocked out the vice president of the United States through a wearable defibrillator with wireless control. Some considered it a cine fiction. However, in the spring of 2014, Wired magazine published the results of a study by Scott Erwin, who tested medical equipment in hundreds of American clinics. During the tests , defibrillators were actually found that can be taken under control using the default password for a Bluetooth connection. Former US Vice President Dick Cheney had a similar defibrillator with wireless access, but in 2007 this feature was turned off for security reasons.
This story suggests a general direction in which safety issues for fitness bracelets will develop. So far, these devices are mostly just a fetish, that is, a fashionable, but not very useful toy - so their protection is now very few people care. Another thing is when they will have a serious relationship to health care, turning into something like a personalized medical card . Then more serious safety standards will appear, and users and the state will increasingly demand that manufacturers comply with these standards. True, the peculiarity of the situation is that the technological foundations of these wearable devices — along with their vulnerabilities — are being laid already now, in the current “non-hazardous” jewelry. It will be much harder to fix them later.
Author: Alexey Andreev, Positive Technologies
No, we are not at all against a healthy lifestyle. We even support the idea that on January 1, it is better not to overeat salads in front of the TV, but instead take part in one of the New Year races . However, many will go to such races or workouts with fashionable fitness bracelets and other trackers. Authors advertising articles praising this jewelry, usually do not ask questions like "how to type the password here?" Or "where is the switch?". Meanwhile, these questions reveal a whole heap of security problems that miniaturization of wrist computers carries.
')
Let's start with the classics. In 2013, a group of specialists from the University of Florida published a description of a number of vulnerabilities in the popular Fitbit pedometer. True, they investigated the old (by today's standards) model Fitbit Ultra, in which a wearable sensor communicates with its base via the wireless ANT protocol; the base is connected via USB to the desktop or laptop, there the collected data on user activity gets into a special application that sends data via the Internet to the cloud storage (a kind of social network for fitbitophiles).
Researchers found that virtually all links in this chain are not protected. In particular, the Fitbit client application sends a username and password in clear text to the site, the rest of the data is exchanged with the server using the open HTTP protocol. And using fake USB-base for wireless communication, you can intercept user data from trackers within a radius of several meters, and even change this data - either on the trackers themselves, or in accounts on the server: for example, 12 million extra steps were clocked by one user.
As a solution to the problem, the authors of the study recommended using encryption to protect the connection of each particular tracker with its Internet account. True, it was recognized that encryption will increase the load on the tracker and other devices in the chain.
The new Fitbit models for wireless use Bluetooth. This allowed security experts from Symantec to criticize a whole host of “health bracelets” working on this protocol. In the summer of 2014, they collected several Bluetooth scanners based on Raspberry Pi mini computers (each gadget ended up costing only $ 75) and placed them in Dublin and Zurich. Scanners were placed in sporting venues, separately studied business centers and transportation hubs.
In total, during the experiment, 563 trackers of different brands were caught, including Fitbit Flex bracelets (it turned out to be the most popular), Jawbone, Nike FuelBand and Polar sports watches. According to the report , the scan made it possible to intercept not only the unique identifiers of devices and transmitted personal data, but also other information that allows identifying the owners - for example, the user name of the device, which often coincides with the name of the owner.
Thus, third parties can follow the movements of the user, as well as his health, without his knowledge. And not only during trainings: many wrist trackers simply do not allow you to turn off the 24-hour Bluetooth (unless you take the battery out of the tracker every time). This means that potential robbers can find out if you are in the apartment. Or even how hard you sleep at the moment.
In addition, as noted by the researchers, in none of the trackers tracked data transfer was not encrypted. Perhaps the manufacturers thus simply save battery power. However, in other cases they do not save: the same study revealed that each fitness application, usually used in conjunction with a tracker, transmits user data on average to 5 different servers; It often happens that the application communicates with more than 10 different Internet addresses. That is, in addition to its own server for this tracker, user information is transmitted to a number of other companies.
Symantec experts also found that 52% of tracker applications did not disclose their personal data security policy to the user at all. And most of the others, showing such a policy, usually get rid of general phrases like “your data is protected” instead of specific answers: what kind of data is collected? where and how long are they stored? to whom are they being transmitted? How can the user control this data?
But back to encryption: Bluetooth fully allows such protection. However, there may be problems with security. At the beginning of December 2014, Liviu Arsene from Bitdefender said that he could read messages sent to the Samsung Gear Live smart watches from a custom smartphone, in this case Google Nexus 4. To do this, just find out the six-digit pin code that is entered when you first "Pairing" devices via Bluetooth. According to the researcher, the pin-code can be found simply by searching (brute force), after which you can read custom SMS, Google Hangouts chats and other private messages that are sent to the clock.
True, this statement proved controversial and caused a number of clarifications on the need for additional conditions. However, the researcher insists that combat exploits will soon appear that bypass the Android Wear protection.
What can I do to help? Both Symantec and Bitdefender reiterate the security measures that conflict with the miniaturization of gadgets.
For example, it is proposed to use additional encryption - or at least just to enable the encryption that is already available for this type of connection (Bluetooth). However, as noted above, this slows down the processor and puts the batteries, which are so small.
Type in each session a strong long password? But this requires an input device, and not just a beautiful strap (unless the strap learns to recognize fingerprints ... which, by the way, are also forged ).
You can use NFC technology for communication, which has a smaller range, which complicates interception. But this makes the device more expensive, and holes have already been found in this technology.
And finally, you can once again advise users to turn off the wireless connection when there is no need for it - if only your switch has such a switch on your bracelet.
In general, the security situation of wrist wireless gadgets in the new year is unlikely to improve. It is possible that there will even be a retro fashion for wired connections (for example, through the headphone jack ). In the end, no one was dying yet because the number of his steps flew from one device to another a couple of hours later.
But by the way, about dying. If you watched the TV series “Homeland” - there was an episode in the second season when terrorists knocked out the vice president of the United States through a wearable defibrillator with wireless control. Some considered it a cine fiction. However, in the spring of 2014, Wired magazine published the results of a study by Scott Erwin, who tested medical equipment in hundreds of American clinics. During the tests , defibrillators were actually found that can be taken under control using the default password for a Bluetooth connection. Former US Vice President Dick Cheney had a similar defibrillator with wireless access, but in 2007 this feature was turned off for security reasons.
This story suggests a general direction in which safety issues for fitness bracelets will develop. So far, these devices are mostly just a fetish, that is, a fashionable, but not very useful toy - so their protection is now very few people care. Another thing is when they will have a serious relationship to health care, turning into something like a personalized medical card . Then more serious safety standards will appear, and users and the state will increasingly demand that manufacturers comply with these standards. True, the peculiarity of the situation is that the technological foundations of these wearable devices — along with their vulnerabilities — are being laid already now, in the current “non-hazardous” jewelry. It will be much harder to fix them later.
Author: Alexey Andreev, Positive Technologies
Source: https://habr.com/ru/post/246855/
All Articles