Security analysts at Symantec have found that they were able to track users who engaged in the ‘quantified self’, or tracked their lives using fitness or health apps, by using a $75 product dubbed the ‘Blueberry Pi’.

The security bods mashed together a Raspberry Pi (price: $35), a battery pack, a Bluetooth USB dongle and a 4GB SD card to create a device which could track these apps and can be built by “anybody with basic IT skills.”

These portable Bluetooth scanners were then taken to public locations in Ireland and Switzerland – as well as a major sporting event – with the devices scanning the airwaves for signals broadcasted.

The overall result was that one in five (20%) apps tracked gave out user credentials in clear text.

“The problem we observed is that an unacceptably large proportion of these apps and services do not handle sensitive user data, such as user names (e.g. email address) and passwords, securely,” Symantec wrote in a blog post. “This means that the data could be easily intercepted and read by an attacker.

“The lack of basic security at this level is a serious omission and raises serious questions about how these services handle information stored on their servers,” it added.

The findings put concern on the use of Bluetooth Low Energy (BLE) as a technology underpinning these systems. BLE is already used to power beacon technology, such as iBeacons.

And as many users will, out of sheer convenience, reuse a series of passwords, if apps spit out user credentials in clear text it’s particularly worrying.

Similarly, these apps contacted different domains – not unexpected in this instance, but the average was five and the highest number was 14. More than half (52%) of apps examined didn’t have privacy policies, yet it was the domain access that worried the researchers.

“Despite the best intentions of app developers, information about users’ activities could still be revealed in the most unlikely of ways due to the way the app uses third party services,” they wrote, adding: “When we choose not to share something, we certainly don’t want our service providers to do so directly or indirectly on our behalf.”

Symantec is also keen to point out that this data could be leaked through any number of conventional reasons, such as human error or social engineering – check out Mozilla’s boo-boo earlier this week involving 76,000 developer email addresses for proof of that.

 

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.