UPDATED 07:11 EDT / AUGUST 04 2014

Symantec: Wearables can be hacked to track workouts and even sexual activity

small__8566082872Here’s some jarring news for those who love to automatically tweet and track their exercise, sleep and sex routines. Adherents of “quantified self” might learn more about themselves, but they’re also making it possible for hackers to do the same.

At least that’s what Symantec Corp. says. Using customized Raspberry Pi computers, Symantec’s security experts were able to pick apart numerous glaring holes in fitness trackers and other common wearable gadgets. They found that some devices could easily be tracked geographically, many use applications that send data in easily-hackable plain text format, and others had poor server-side security.

Symantec built its homemade tracker tracking tool using just a Raspberry Pi, with an additional battery pack, a 4GB SD card, Bluetooth 4.0 capability and a little custom written script. The total cost came to just $75. The devices were tested on location in Switzerland and Ireland.

Symantec researchers found that most wearable gadgets transmit a unique media access control (MAC) address, which is common to computing devices. Once a device can be linked to an individual, tracking becomes trivial.  Researchers said they didn’t even have to force a remote connection.

Applications running on the devices were even less secure, said Symantec. More than 20 percent of wearables didn’t use any kind of encryption at all when sending data to the cloud. Things weren’t much better from a privacy perspective; many devices also share data with marketing and advertising firms.

Symantec says this just increases the scope for potential data leakage. “In one app that tracks sexual activity, the app makes specific requests to an analytics service URL at the start and end of each session. In its communication, the app passes a unique ID for the app instance and the app name itself as well as messages indicating start and stop of the tracked activity.” So advertisers could literally track your performance in the sack.

Developers were also criticized for their poor privacy polices. Some 52 percent of apps had no privacy policy at all, while others were slammed by Symantec for poorly segregating data at the server side.

“In one example it was possible to browse personal data belonging to other users of the site. In another instance, it was possible for an attacker to upload SQL statements, such as commands to create tables in the database, to the server for execution,” notes the report.

Symantec’s report comes less than a week after HP Fortify published its own study about the Internet of Things’ glaring lack of security. That report found that some 70 percent of popular IoT devices contain vulnerabilities, including weak password protection, insecure apps and unencrypted data transmissions.

photo credit: Mike Licht, NotionsCapital.com via photopin cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU