Each day, millions of people worldwide are actively recording every aspect of their lives, thoughts, experiences, and achievements in an activity known as self-tracking (aka quantified self or life logging). People who engage in self-tracking do so for various reasons. Given the amount of personal data being generated, transmitted, and stored at various locations, privacy and security are important considerations for users of these devices and applications. Symantec has found security risks in a large number of self-tracking devices and applications. One of the most significant findings was that all of the wearable activity-tracking devices examined, including those from leading brands, are vulnerable to location tracking.

Our researchers built a number of scanning devices using Raspberry Pi minicomputers and, by taking them out to athletic events and busy public spaces, found that tracking of individuals was possible.

Symantec also found vulnerabilities in how personal data is stored and managed, such as passwords being transmitted in clear text and poor session management.

How do self-tracking systems work?

Many people who engage in self-tracking do it with gadgets such as electronic wristbands, smart watches, pendants, and even smart clothing. These gadgets typically contain a number of sensors, a processor, memory, and a communication interface. These gadgets enable the user to effortlessly collect, store, and transmit the data to another computer for processing and analysis.



Figure 1. What’s in a typical quantified self device

Despite the growing use of specifically designed gadgets, smartphones are perhaps the most common way for people to perform self-tracking. A modern smartphone is packed with a wide range of different sensors that can be used by many different self-tracking applications. Many people already carry smartphones with them, and the proliferation of free self-tracking apps makes it easier than ever for users to get into self-tracking.



Figure 2. Modern smartphones are jammed with sensors

To start self-tracking, users simply choose from a wide range of apps in the various app markets, install one of them, sign up for an account, and start tracking. At the end of every session, the user can review and sync the collected data to a cloud-based server for storage.

So just how safe is your quantified self?

When we hand over our personal and quantified self data to these service providers, are we misplacing our trust in them? How do we know that they are taking the steps necessary to protect our information and our privacy? To help get a handle on this, we’ve looked at what’s currently going on in the world of self-tracking. We examined what vendors are doing to protect users of their services by taking a closer look at some of the most popular quantified self devices and apps on the market.

Location tracking of wearable devices

All wearable activity-tracking devices can be tracked or located through wireless protocol transmissions.

There are many wearable sports activity-tracking devices currently available on the market. These devices generally contain sensors to detect motion but most are not designed for location tracking. Data collected by these devices generally has to be synced to another device or computer so that it can be viewed. For convenience, many manufacturers use Bluetooth Low Energy to allow the device to wirelessly sync data to a smartphone or computer. However, this convenience comes with a price; the device may be giving away information that can allow it to be tracked from one location to another.

To test how these devices could be tracked, we built some portable Bluetooth scanning devices using Raspberry Pi minicomputers and off-the-shelf components which included a Bluetooth 4.0 adaptor, a battery pack and an SD card. All these components could be bought from a typical main street retailer. These were combined with open source software and some custom scripting. Each device cost no more than US$75 and could easily be put together by anybody with basic IT skills.



Figure 3. Our own portable Bluetooth scanner, dubbed Blueberry Pi

The portable scanners were then taken to various busy public locations in Ireland and Switzerland where we walked around with them to see what we could find. We also took them to a major sporting event and placed them at static locations allowing us to track competitors as they progressed in the race. The scanners ran on a passive basis and did not attempt to make connections to any devices that were discovered. They simply scanned the airwaves for signals broadcasted from devices.

In our testing, we found that all the devices we encountered can be easily tracked using the unique hardware address that they transmit. Some devices (depending on configuration) may allow for remote querying, through which information such as the serial number or a combination of characteristics of the device can be discovered by a third party from a short distance away without making any physical contact with the device.



Figure 4. Most wearable activity-tracking devices are traceable

From the results of this research, it appears that manufacturers of these devices (including market leaders) have not seriously considered or addressed the privacy implications of wearing their products. As a result, the devices, and by association the wearers, can be easily tracked by anybody with some basic skills and a few cheap tools.

Why worry about this?

It’s possible that burglars or stalkers could use location-tracking information for malicious intent. Burglars have been known to use location-tracking systems to tell when a potential victim is not at home.

Transmission of tracking and personal data in clear text

20 percent of apps transmitted user credentials in clear text.

Many of the quantified self apps and services have a cloud server-based component where users are required to upload and store data collected from their apps and services for safe keeping and analysis. Aside from just storing data about activities, some services also collect a wide range of other personal information such as date of birth, relationship status, addresses, photos, and other personal statistics. To prevent unauthorized access to the users’ data, these services all require user accounts which are protected by user name and password credentials.

The problem we observed is that an unacceptably large proportion of these apps and services do not handle sensitive user data, such as user names (e.g. email address) and passwords, securely. Many of them transmit user-generated data, including login credentials, through an unsecure medium such as the Internet without any attempt to protect it (e.g. by encrypting it). This means that the data could be easily intercepted and read by an attacker. The lack of basic security at this level is a serious omission and raises serious questions about how these services handle information stored on their servers.

Why worry about this?

The transmission of credentials in clear text is especially troubling given that large numbers of people have a propensity to reuse login credentials at multiple sites. Due to reuse, login details stolen from one service could potentially be used to gain access to more sensitive services such as email accounts or online shopping accounts.

Lack of privacy policies

52 percent of apps examined did not have privacy policies.

Self-tracking apps and services are by their nature designed to collect and analyze personal information. Therefore it is reasonable to expect, and indeed is legally required in many jurisdictions (e.g. Online Privacy Protection Act 2003), of companies that collect and manage PII to make available a privacy policy that is prominently displayed and easily accessible. Privacy policies should preferably be understandable, even by those not in the legal profession, and shown to users before they sign up for a service so that they can make a considered choice before using it.

Despite the importance of having a privacy policy, the majority of apps that we examined did not have one.

Why worry about this?

The lack of a privacy policy may be a possible indicator of how the issue of security is treated in the development and provision of online self-tracking services. Users would be well advised to take this into consideration before signing up for any services.

Unintentional data leakage

The maximum number of unique domains contacted by a single app was 14 and the average was five.

On average we found that the apps contacted five different Internet domains. In the worst case, we found an app that contacted 14 different domains in a short period of execution. While it is understandable that apps may need to contact a small number of domains in order to transmit collected data and access certain APIs, such as for ads, it may come as a bit of a surprise to learn that a significant number of apps contacted ten or more different domains for various purposes. Many of the apps report to analytics services, these services gather and analyze app or user behavior for marketing purposes. Some apps use app analytics to examine the performance of the app itself, reporting performance issues and crashes.

Despite the best intentions of app developers, information about users’ activities could still be revealed in the most unlikely of ways due to the way the app uses third party services. For example in one app that tracks sexual activity, the app makes specific requests to an analytics service URL at the start and end of each session. In its communication, the app passes a unique ID for the app instance and the app name itself as well as messages indicating start and stop of the tracked activity.

Aside from the scenario mentioned previously, there are also countless other scenarios where personal data could be leaked unintentionally, such as through human error or social engineering or careless handling of data.

Why worry about this?

While many of us like to share details of our lives with friends and family, there are many things that we don’t necessarily want to share. When we choose not to share something, we certainly don’t want our service providers to do so directly or indirectly on our behalf.

Other security weaknesses

In any shared service, user accounts are used to segregate one user’s status and data from others. Sessions are used to manage the flow of data and processing so that users can only access their own data and perform tasks on the data that they are permitted to access. Weak session management can be exploited by cybercriminals to hijack sessions so that they can masquerade as other users. This can lead to information leaks, data vandalism, and other problems.

In our research, we encountered some sites that did not correctly handle user sessions. In one example it was possible to browse personal data belonging to other users of the site. In another instance, it was possible for an attacker to upload SQL statements, such as commands to create tables in the database, to the server for execution. These are serious security lapses that could lead to a major breach of the user database.

Why worry about this?

Poorly designed or implemented systems could expose serious vulnerabilities that attackers can exploit. These could lead to a full compromise of user data at the service provider’s end. Depending on the sensitivity of the data that is held, the implications for users could range from something as inconsequential as how many glasses of water you drank today, to something more serious such as your current location.

What can you do about this?

At first glance, self-tracking and privacy may appear to be strange bedfellows. How can recording lots of data about yourself and maintaining privacy even be possible? Considering the security and privacy issues that we have seen, the obvious conclusion is, if you value your privacy, the best thing is to not do any self-tracking at all!

Despite potential risks to security and privacy, the quantified self movement continues to experience rapid growth and is expected to keep growing for some years to come. To ensure that users can continue to enjoy this activity in safety, we recommend that they take some basic security precautions to help guard against the risk of exposing their personal and self-tracking information.

Use a screen lock or password to prevent unauthorized access to your device

Do not reuse the same user name and password between different sites

Use strong passwords

Turn off Bluetooth when not required

Be wary of sites and services asking for unnecessary or excessive information

Be careful when using social sharing features

Avoid sharing location details on social media

Avoid apps and services that do not prominently display a privacy policy

Read and understand the privacy policy of app and services

Install app and operating system updates when available

Use a device-based security solution if available

Use full device encryption if available

More information

For those who want more details on this topic, you can read our latest paper entitled: How safe is your quantified self?