Smart phones, mobile apps and wearable technology devices such as wristbands that monitor biometric signs are privacy and security risks to their users according to a recent report from Symantec Corp.
The software and security company recently sent out its researchers armed with a $35 Raspberry Pi microcomputer tricked out with a Bluetooth scanner to various athletic events and busy public spaces in Ireland and Switzerland and found that it was incredibly easy to track individuals by homing in on the signals of their mobile devices – many device manufacturers use Bluetooth Low Energy to enable the devices to wirelessly sync data to a smart phone or computer.
Apart from finding out that all of the wearable activity tracking devices examined are vulnerable to tracking, Symantec reported that one in five (20 per cent) mobile applications transmitted passwords in plain text.
“From the results of this research, it appears that manufacturers of these devices (including market leaders) have not seriously considered or addressed the privacy implications of wearing their products,” according to an official blog by Symantec. “As a result, the device and by association the wearer can easily be tracked by anybody with some skills and a few cheap tools.”
Symantec also stressed the privacy implication of potential unauthorized access to data collected by the devices.
Devices such as sports activity-tracking wearable devices or smart phones with activity tracking apps generally contain sensors to detect motion and location. Many of the apps and services also have a cloud server-based component which requires users to upload and store data collected from their apps for safekeeping and analysis.
Aside from just storing data on activities, Symantec said, some services also collect personal information such as: date of birth, relationship status, addresses, photos and other personal statistics.
Users are given a password to prevent unauthorized access to the data.
However, Symantec found that an “unacceptably large proportion of these apps and services” do not handle sensitive user data such as user names, email address) and passwords, securely. Many of the apps transmit user-generated data, including login credentials, through the Internet without the benefit of encryption.
“This means data could be easily intercepted and read by an attacker,” Symantec said. “The transmission of credentials in clear text is especially troubling given that large numbers of people have a propensity to reuse login credentials at multiple sites.”
To find out how to mitigate the security and privacy risks, click here.