How safe is your self-tracking health app or device? A recent Symantec report reveals the hidden security risks of your quantified self data.
Technology has made it possible for us to literally keep tabs on ourselves and measure our everyday activities with the objective of improving our quality of life and preventing health issues. Call it self-tracking, life-logging, quantified-self, or body hacking; this concept and its practice has caught on quite significantly today. Wearable computing, i.e., a self-tracking health app or device, makes tracking body metrics easy and seamless. The devices have made more people join the growing crowd of individuals who use technology in some way to keep track of one or more biometrics.
A phone survey by Pew Research revealed that nearly 70% of American adults track at least one indicator. Another report from ABI research indicated that the market for wearable computing devices will touch 485 million device shipments in 4 years time.
Quantified self or self-tracking is often believed to be the key improving overall health, happiness, and disease prevention. However, there is a darker side to the story that is not as apparent to the hundreds of people who diligently record their body analytics using a self-tracking health app or device. This darker side arises from the fact that with such highly personal, sensitive data being collected by sundry electronic computing devices, there is shockingly little attention being paid to the security aspect. The question that every individual who believes and practices self-tracking needs to ask is: Is the data being collected about me private and safe from unauthorized access? The answer, according to recent research conducted by Symantec, is NO.
Can a $75 device hack your quantified self data?
Portable Bluetooth scanning devices built by Symantec researchers using Raspberry Pi mini computers were able to easily track all such self-tracking devices encountered. Such a device can be built at a cost of $75 by anyone with basic IT skills. These scanning devices did not even have to initiate a connection with the wearable self-tracking health app & device to gain access to its accumulated data. By merely scanning the airwaves for signals these devices broadcast, the scanner was able to hone in and ‘read’ the data stored. Clearly, preventing access to information by unauthorized persons has NOT been given the attention it deserves at all! The Symantec report highlighted potential security risks based on the study conducted with the scanning devices:
Location tracking and transmission of the critical data in clear text
The scanner was tested in public areas and at a sports event where it ‘caught’ user credentials from 20% of the apps in the vicinity in clear text format. Typically, self-tracking health apps & devices require that the users store highly personal, sensitive data at a cloud storage location. While this data is ‘secured’ by a user name and password, the self tracking apps transmit these credentials without any encryption, leaving them vulnerable to interception and unauthorized use. Since many individuals use the same credentials at multiple (or all) sites, access to one user name and password combo might give access to all the user’s seemingly secure accounts everywhere.
No privacy policy, contact with multiple domains
Given that a self-tracking health app & device gathers personal and highly sensitive information, it is a reasonable expectation that it should come with strong privacy policies indicating who collects the data, what it is used for, who can see/use it, etc. Surprisingly, 52% of the apps did not have a privacy policy and of the rest, many did not offer any clarity on how the data would be kept private. Self tracking apps are legally required to have a strong privacy policy, but more than 50% of them do not have one.
Apart from the privacy issue, the study found that a maximum of 14 unique domains and an average of 5 were contacted by a single self-tracking health app/ device. Many of these domains receive information about the user without him/her being explicitly aware of this. Notably, many of these domains are CRM/data management ones or marketing services.
In-session security lapses and inadvertent data leaks
With security lacking during sessions, the users of many self-tracking apps were found to be highly vulnerable to session hijacks. In fact, they exposed the entire database to risk from unauthorized persons while they were logged in during a session. Even more startling is the revelation that some apps give clear indications of the exact time and nature of activities carried out by the user to outside domains. There are several ways in which this kind of data can be misused to the user’s detriment.
What can you do?
As a user, Symantec recommends consumers to take certain steps to ensure that your private data remains secure in the following ways:
Keep unauthorized users away by using screen locks and strong passwords and avoid reusing the same on different sites.
Keep Bluetooth turned off when not needed.
Avoid giving away personal information to sites unless you have initiated the interaction and are sure of their credentials.
Pay close attention to your social sharing features and ensure that your private information cannot be seen/shared by others.
Ensure that any app you use has a strong privacy policy and is committed to it. Make sure you know how the privacy policy protects you.
Employ full device encryption wherever possible and use device based security at all times.
Make sure your app/OS is updated regularly.
For their part, the app developers and vendors should pay attention to the following areas:
Security should be an integral part of the app design right from the beginning.
Security protocols during data transmission is top priority as is prevention of device tracking, either directly or indirectly.
Ensure that only necessary, relevant data is collected.
Enforce the use of strong passwords by users for their accounts and follow best practices in storing passwords safely.
Verify if session management is secure, implement necessary protocols, and follow secure coding.
Establish a strong privacy policy and ensure that it is adhered to at all times.
Attention to back-end system security is critical. You must ensure that security testing takes place during product development and pen test the infrastructure to verify if security features are functioning as desired.
The staff need to be made aware of the criticality of security and privacy protection. Additionally, they should be trained in handling sensitive information without compromising on safety.
Understanding and complying with legal requirements pertaining to data protection is essential.
Conclusion
Orla Cox, Symantec Director of Security Response, put it all very succinctly when she pointed out how hackers could simply access private data leaked by these devices and sell them to interested third parties for a hefty profit. Users should be aware of the risks they undertake when they use these devices and they should also make the effort to learn how they are exposed to risk, so that these gaps can be filled. On the positive side, security companies are already working at devising effective protection for such devices, but it is still up to you, the user, to install these protective mechanisms and make sure that they are truly safeguarding you in the way and to the degree you want.