QUANTIFIED SELF A Path to Self-Enlightenment or Just a Security Nightmare?



Similar documents
Trend Micro Worry- Free Business Security st time setup Tips & Tricks

The increasing popularity of mobile devices is rapidly changing how and where we

Bluetooth Smart, But Not Smart Enough

Your Mission: Use F-Response Cloud Connector to access Google Apps for Business Drive Cloud Storage

Social Network Security. Frank K. F. Chow Vice-Chairperson Professional Information Security Association (PISA)

Online Backup by Mozy. Common Questions

AdRadionet to IBM Bluemix Connectivity Quickstart User Guide

Single Sign-On Framework in Tizen Contributors: Alexander Kanavin, Jussi Laako, Jaska Uimonen

National Cyber Security Month 2015: Daily Security Awareness Tips

IIS 6.0SSL Certificate Deployment Guide

Administering FileVault 2 on OS X Lion with the Casper Suite. Technical Paper July 2012

Revu validates and signs documents based on the Windows Certificate Store and the PKCS #12 standards. Revu also supports Adobe CDS signatures.

How to configure Mac OS X Server

Outlook Profiler 2.5 Series Instruction Manual

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Fitbit Zip Product Manual

Egress Switch Best Practice Security Guide V4.x

Drobo How-To Guide Drobo Apps - Configuring ElephantDrive

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Security Evaluation CLX.Sentinel

Smart TPM. User's Manual. Rev MD-STPM-1001R

Digital Signatures on iqmis User Access Request Form

End User Devices Security Guidance: Apple ios 8

Mobile Application Security

Instructions for Configuring Your Browser Settings and Online Security FAQ s. ios8 Settings for iphone and ipad app

FileCloud Security FAQ

NTP Software File Auditor for Windows Edition

Secret Server Qualys Integration Guide

Additional Guides. TETRIX Getting Started Guide NXT Brick Guide

How to Migrate to MailEnable using the Migration Console

Introduction Configuration & Spam Detection WinWare Webmail Accounts Account Notes Definitions...

Getting Started What s included Setting up Fitbit One on a computer Mac & PC Requirements... 2

Symantec Mail Security for Microsoft Exchange

Intunex Oy Skillhive Service Description 1 / 6

NSi Mobile Installation Guide. Version 6.2

Facing Up to the Threats of Cyber A6acks in a 5G World

OneDrive for Business FAQ s Updated 6/19/14

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Apptix Online Backup by Mozy

With Great Power comes Great Responsibility: Managing Privileged Users

Norton Mobile Privacy Notice

USER GUIDE WWPass Security for Windows Logon

10 Quick Tips to Mobile Security

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Marlon R Clarke, Ph. D., CISSP, CISM Director Network Operations and Services, NSU

Chapter 7 Managing Users, Authentication, and Certificates

Setting Up . on Your Touch by HTC

Junos Pulse for Google Android

Protection for your account

How To Protect Yourself Online

Using Authorize.net for Credit Card Processing in YogaReg

General Security Best Practices

PrivateServer HSM EKM Provider for Microsoft SQL Server

Fitness Wristband Active TX 38

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Module - Facebook PS Connect

NotifyMDM Device Application User Guide Installation and Configuration for Windows Mobile 6 Devices

Security and Privacy Issues of Wireless Technologies

PrinterOn Mobile Print Application Overview and User Guide

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Penetration Testing - a way for improving our cyber security

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Wi-Fi, Bluetooth, and the Internet of Things

User Guide FOR TOSHIBA STORAGE PLACE

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Cloudifile Getting Started

GATEWAY CONFIGURATION GUIDE. PowerCharge

SuperValu Car Insurance FAQs

October Is National Cyber Security Awareness Month!

What is Web Security? Motivation

Certified Secure Computer User

AVG Business Secure Sign On Active Directory Quick Start Guide

MiniPOS and BluePad-50 user manual

Setting Up . on Your Sprint Power Vision SM Mogul by HTC

Intel Compute Stick STCK1A32WFC User Guide. Intel Compute Stick STCK1A32WFC

WP Tweets PRO User's Guide

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Last modified: November 22, 2013 This manual was updated for the TeamDrive Android client version

Using Drobo for Onsite & Offsite backup with Carbon Copy Cloner

MySQL Security: Best Practices

State of South Carolina Policy Guidance and Training

CU AnyHour+ Online Banking FAQ's

Guidance End User Devices Security Guidance: Apple ios 7

Secure Your Mobile Workplace

PowerLink for Blackboard Vista and Campus Edition Install Guide

Sync Security and Privacy Brief

Resco Mobile CRM Security

Basic Security Considerations for and Web Browsing

Transcription:

42 Calories 96 BPM Location: AMS QUANTIFIED SELF A Path to Self-Enlightenment or Just a Security Nightmare? Candid Wüest THREAT RESEARCHER Thanks To: Mario Ballano & Hon Lau

WHAT IS QUANTIFIED SELF? Recording everything about your life Internet Of Things Health Sports & Recreation QUANTIFIED SELF Wearable Tech Business Culture 2

WHERE THE BITS FIT IN More moving parts = more risks RISK RISK RISK 23.56 KM 123 BPM 15. 8 RISK RISK 3

UNINTENTIONAL DATA LEAKS The secret life of mobile apps... MAX DOMAINS CONTACTED 14 AVG DOMAINS CONTACTED 5 APP ANALYTICS AD NETWORKS APP PROVIDER OS PROVIDER SOCIAL MEDIA APP FRAMEWORKS CRM/MARKETING UTILITY API 4

VERIFY THE DEFAULT SETTINGS! Example: Fitbit once had the sexual activity visible to all by default 5 5

DATA CUSTODIANS It is personal identifiable information, but not as we know it Apps that access HealthKit are required to have a privacy policy, Apple.com From the analyzed apps 52% had no privacy policy 6 6

7 YOUR DATA IS ALREADY BEING ANALYSED Jawbone: Who s asleep during San Francisco earthquake 2014? 7

20% SENT PASSWORDS IN CLEAR TEXT Larger proportion of the top 100 health apps leaked activity data through HTTP Some apps accepted self-signed certificates or don t check revocation lists POST http://api.******.com/mobile/functions.ashx?action=registeruser FName: ken LName: west GoalWeight: 68 GET http://*****.***/api/createuser? Email: kenwest@this.tld username=kenwest Password: P@SSw0rd email=kenwest@this.tld password=p@ssw0rd POST http://******.*******.net/cgi-bin/account password: 8EEFB875DB938CEC08299BE7AA709EE0 action: create email: kenwest@this.tld preflang: de_ch No need to crack simply pass the hash 8

9 ENUMERATE USER DATA FOR SPAMMERS "facebook_access_token":null,"face_join":"0","first_run":"0","metric":"0","last_entry":null,"face_cache_l ast_update":null,"uuid":"d53fe2973d3ad4276a8aa5aaae0730axxxx74aeefd9cc446b80eb14391a6xxxx", Social media accounts "friendly":0,"follow":0,"currentweight":"190","sexnumber":"1","percent_to_lose":100,"percent_to_bf_lo se":100,"totalbudget":1650,"systolic_warning":"bar bar-warning", "diastolic_warning":"bar bar- HTTP GET /api/getuser/877 Name Email Password Birthday 0","google_uid":null,"google_join":"0", Photo Nike_pwd Fitbit_token warning","systolic":null,"diastolic":null, Withings_token Google_uid Facebook_access_token [No authentication needed] {"result":true,"data":{"id":"877","name":"kenwest","email":"ken@this.tld", "password":"705bf40d40cb2904b04294fbc355xxxx","role":"0","about":null,"salt":"xgdlkaenp1","sex":" Male","age":null,"purpose":null,"coach_id":"1","heightfeet":null,"birthday":null,"heightinch":null,"startw eight":null,"_currentweight":null,"targetweight":null,"_startbf":null,"_currentbf":null,"_targetbf":null,"_s ystolic":null,"_diastolic":null,"neck":null,"_hips":null,"_waist":null,"forearm":null,"wrist":null,"imageurl": null,"photo":null,"thumbnail_65":null,"thumbnail_150":null,"nike_user":null,"nike_pwd":null,"nike_join": "0","face_uid":null,"provider":"0","timezone":"America\/Los_Angeles","fitbit_token":null,"fitbit_secret": Ideal for spammers null,"fitbit_join":"0","withings_token":null,"withings_secret":null,"withings_userid":"0","withings_join":" Email, context and "startavatar":"\/img\/male\/male_110","avatar":"\/img\/male\/male_190","points":0,"avgcalories":"108.71263885498047","avgminutes":"44.0000","avgweight":"190","sumweekcalories":"still working on weight loss","level":"newbie", xxxxscore":0.60394444444444}} 9

OPEN REMAILER SCRIPTS POST http://www.***.com/members/community130204/sendmail.php email: kenwest@this.tld subject: Daily Activity message: Dear User, You have 1 new private message. Please go to POST http://www.***.com/members/community130204/sendmail.php email: kenwest@this.tld subject: Your Daily Spam message: Dear User, You have 1 new SPAM message. Please click here

POSSIBLE IMPACT Account hijack o The problem of password reuse o Costs: Sign the user up for premium services, commitments, o Change the privacy settings 11 Spam o Enumerate user data to send spam with context o Create dummy accounts & use profile page as spam landing pages o Use socal media accounts to find friends and spam them 11

GET REWARDED Who said you have to run yourself? Dog-sitters? 12 12

POSSIBLE IMPACT Cont. Loss of privacy o Reveal personal details: Identity theft, profiling, extortion, o Reveal Location: Stalking, burglar, kidnapping, corporate misuse, 13 Loss of integrity o Modify/inject data: Gain rewards, high scores, frustrate other people ;-) o Delete the account and history o Brick the device through firmware updates 13

BLUETOOTH LOW ENERGY 14 aka Bluetooth SMART and BTLE part of BT 4.0 (2010) Different from classic Bluetooth Does frequency hopping but can still be sniffed Pairing has been broken (Mike Ryan) Bluetooth Smart (low energy) technology supports a feature that reduces the ability to track a Bluetooth device over a period of time by changing the address on a frequent basis. Bluetooth.org 14

SCANNING WITH A BLUEBERRY PI TOTAL PRICE $75 4GB SD Card $5 Battery pack $28 Raspberry pi $35 Bluetooth 4.0 USB dongle $7 OUR BLUETOOTH TRACKER 15

SCAN RESULTS FOR MINI MARATHON The phone may reveal the real name associated with the device 30 from 563 devices had something like a person s name Rita :)) Darren! Franks phone Erica 45.0% 40.0% 35.0% 30.0% 25.0% 20.0% 15.0% 10.0% 5.0% 0.0% Dawson Alieen's mobile!!:) Garret rip xxx Big hairy bollo A B C D E F G H I 16

SCAN RESULTS FOR BLACKHAT EU 2014 203 BTLE devices and 21 wearable fitness trackers seen

SOME WANT THE DATA TO BE SEEN 18 Source: blog.everytrail.com 18

SELF-TRACKING CAN BE RISKY FOR USERS Your digital footprint will be everywhere! 23.56 KM 123 BPM 15.8 52% Do not have a privacy policy 20% Login credentials in clear text 14 Domains contacted by apps 19

WHAT CAN USERS DO? TURN OFF BLUETOOTH IF NOT REQUIRED KEEP DEVICE/SOFTWARE/OS UPDATED DON'T REUSE USERNAME/PASSWORDS USE STRONG PASSWORDS LOOK FOR A PRIVACY POLICY EXCESSIVE INFORMATION GATHERING SCREEN LOCK DEVICE ENCRYPTION SECURITY SOFTWARE 23.5 6 KM 123 BPM 15.8 20

QUESTIONS? BLOG WHITEPAPER TWITTER WEB http://bit.ly/1pggefw http://bit.ly/1ngb4vw @threatintel http://www.symantec.com Copyright 2014 Symantec Corporation. All rights reserved. 21

THANK YOU! BLOG WHITEPAPER TWITTER WEB http://bit.ly/1pggefw http://bit.ly/1ngb4vw @threatintel http://www.symantec.com Copyright 2014 Symantec Corporation. All rights reserved. 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information