Wearable users tracked with Raspberry Pi Published duration 1 August 2014

image copyright AP image caption Scooping up data broadcast by wearables is "trivial", security researchers say

People who use wearable gadgets to monitor their health or activity can be tracked with only $70 (£40) of hardware, research suggests.

The work, carried out by security firm Symantec, used a Raspberry Pi computer to grab data broadcast by the gadgets.

The snooping Pi was taken to parks and sporting events where it was able to pick out individuals in the crowds.

Symantec said makers of wearables need to do a better job of protecting privacy and handling data they gather.

'Serious breach'

The research team used a barebones Raspberry Pi computer to which they added a Bluetooth radio module to help sniff for signals. At no time did the device try to connect to any wearable. Rather, it just scooped up data being broadcast from gadgets close by.

Symantec said the eavesdropping was possible because most wearables were very simple devices that communicated with a smartphone or a laptop when passing on data they have collected.

The researchers, Mario Barcena, Candid Wueest and Hon Lau, took their Pi to busy public places in Switzerland and Ireland, including sporting events, to see what data they could grab.

"All the devices we encountered can be easily tracked using the unique hardware address they transmit," the team wrote in a blogpost

Some of the devices picked up were also susceptible to being probed remotely to make them reveal serial numbers or other identifying information. It would be "trivial", said the researchers, for anyone with a modicum of computer and electronics knowledge to gather this information.

Trick databases

In addition, the research team looked at the apps associated with some activity monitors or which use a smartphone to gather data. About 20% of the apps Symantec looked at did nothing to obfuscate data being sent across the net even though it contained important ID information, such as name, passwords and birthdate.

"The lack of basic security at this level is a serious omission and raises serious questions about how these services handle information stored on their servers," said the Symantec team.

Further investigation revealed that many apps did not do enough to secure the passage of data from users back to central servers. In some cases it was possible to manipulate data to read information about other users or trick databases into executing commands sent by external agents.