Wearable security under spotlight as researchers fire Bluetooth IoT privacy warning
To ensure the connectivity of wearable devices, Bluetooth Low Energy (BLE) appears to be the way to go – with limited computing power, the clue is in the name. Yet a recent post from Context Information Security has fired a warning shot over privacy issues in the BLE protocol.
Titled ‘The emergence of Bluetooth Low Energy’, the post addresses how scanning for devices running off BLE – which broadcasts constantly – is relatively easy with cheap hardware or a smartphone. “There are clear implications to privacy, just as there are ways that this technology could be exploited for social engineering and crime,” the researchers explain.
It’s no coincidence that other reports have surfaced in recent weeks of organisations unwilling to use smartwatches. The Chinese military has forbidden its troops from wearing internet-connected wearable tech, with the alarm raised after one recruit received a smartwatch as a gift.
Context appears concerned at the pace of manufacturers putting their products on the market, with security “sometimes tacked on as an afterthought.” The researchers wrote an application in C# which scans for advertising data, and sends out scan requests to identify devices. Among the various kit they found included a “wide selection of fitness trackers, primarily from FitBit, Jawbone and Garmin”, as well as heart rate monitors, a few bicycle devices and Galaxy Gears. A daily commute on the Central and Jubilee London Underground lines brought up around 100 devices.
BLE relies on identifying devices by their MAC address, with all BLE devices needing at least one public address or random address. Most of the devices tested by Context had a random MAC address, yet that address is often fixed, making it easy to track.
The researchers stress this study is only a work in progress, yet conclude: “BLE is not a new technology, but its adoption for certain applications is novel. Compared to traditional Bluetooth, it enables a new means for electronic devices to constantly communicate with each other. Whilst wearable technology and other applications are becoming increasingly popular, do many of the owners of these devices realise that they broadcast constantly?”
This isn’t the first time security of BLE has been questioned. In August, researchers at Symantec mashed together a Raspberry Pi, a battery pack, a Bluetooth USB dongle and a 4GB SD card to create a device which could be built by “anybody with basic IT skills” and tracked apps on wearables.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.