Researchers have shown how simple it is to monitor and record Bluetooth low energy signals transmitted by phones and wearable devices, allowing the user to be easily identified and tracked.
Researchers at Context Information Security have demonstrated how easy it is to monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, wearable devices and iBeacons, including the iPhone and leading fitness monitors, raising concerns about privacy and confidentiality. The researchers have even developed an Android app that scans, detects and logs wearable devices.
The app can be downloaded along with a detailed blog explaining the research at: www.contextis.co.uk/resources/blog/emergence-bluetooth-low-energy
The Context findings follow recent reports that soldiers in the People’s Liberation Army of China have been warned against using wearables to restrict the possibility of cyber-security loopholes. “Many people wearing fitness devices don’t realise that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott Lester, a senior researcher at Context. “Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 metres in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.”
Bluetooth Low Energy (BLE) was released in 2010 specifically for a range of new applications that rely on constantly transmitting signals without draining the battery. Like other network protocols it relies on identifying devices by their MAC addresses; but while most BLE devices have a random MAC address, Context researchers found that in most cases the MAC address doesn’t change. “My own fitness tracker has had the same MAC address since we started the investigation, even though it’s completely run out of battery once,” said Lester. Sometimes the transmitted packets also contain the device name, which may be unique, such as the ‘Garmin Vivosmart #12345678′, or even give the name of the user, such as ‘Scott’s Watch’.
BLE is also increasingly used in mobile phones and is supported by iOS 5 and later, Windows Phone 8.1, Windows 8, Android 4.3 and later, as well as the BlackBerry 10. The Bluetooth Special Interest Group (SIG) has predicted that, “By 2018, more than 90 percent of Bluetooth enabled smartphones are expected to be Smart Ready devices,” supporting BLE; while the number of Bluetooth enabled passengers cars is also predicted to grow over to 50 million by 2016.
iBeacons, which also transmit BLE packets in order to identify a location, are already used in Apple Stores to tailor notifications to visiting customers, while BA and Virgin use iBeacons with their boarding pass apps to welcome passengers walking into the lounge with the WiFi password. House of Fraser is also trialling iBeacons on manikins to allow customers to look at the clothes and their prices on their phones. The current model for iBeacons is that they should not be invasive; you have to be running the application already, for it to detect and respond to a beacon. But the researchers have concerns: “It doesn’t take much imagination to think of a phone manufacturer providing handsets with an iBeacon application already installed, so your phone alerts you with sales notifications when you walk past certain shops,” said Lester.
The current version 4.2 of the Bluetooth Core Specification makes it possible for BLE to implement public key encryption and keep packet sizes down, while also supporting different authentication schemes. “Many BLE devices simply can’t support authentication and many of the products we have looked at don’t implement encryption, as this would significantly reduce battery life and increase the complexity of the application,” said Lester.
“It is clear that BLE is a powerful technology, which is increasingly being put to a wide range of uses,” concludes Context’s Lester. “While the ability to detect and track devices may not present a serious risk in itself, it certainly has the potential to compromise privacy and could be part of a wider social engineering threat. It is also yet another demonstration of the lack of thought that goes into security when companies are in a rush to get new technology products to market.”
* Follow Gadget on Twitter on @GadgetZA
Gadget goes to Hollywood
Gadget visited the Netflix studios last week. In the first of a series, ARTHUR GOLDSTUCK talks to CEO Reed Hastings.
Netflix CEO Reed Hastings is no stranger to Africa. He has travelled throughout South Africa, taught maths in Swaziland for two years with the Peace Corps, and visits close family in Maputo. As a result, he is keenly aware of the South African entertainment and connectivity landscape.
In an exclusive interview at the Netflix studios in Hollywood, Los Angeles, last week, he revealed that Netflix had no intentions of challenging MultiChoice’s dominance of live sports broadcasting on the continent.
“Other firms will do sport and news; we are trying to focus on movies and TV shows,” he said. “There are a lot of areas that are video that we are not doing: sports, news, video gaming, user-generated content. We don’t have live sport.
“We’re not replacing MultiChoice at all. Their subscriber growth is steady in South Africa. They serve a need that’s independent of the Internet, via low-price satellite. There is no intention of capturing that audience. If they’re growing, it’s because they serve a need.”
While Reed ruled out any collaboration with MultiChoice on its satellite delivery platform, despite its collaboration with another pay-TV service, Sky TV in the United Kingdom, he did not close the door. He stressed that Netflix saw itself as an Internet-based service, and would pursue the opportunities offered by evolving broadband in Africa.
“If you look in other markets like the USA, how Comcast carries us on set-top boxes with their other services, it could happen with MultiChoice, the same as with all the pay-TV providers.
“We’re really focused on being a service over the Internet and not over satellite. Our service doesn’t work on satellite. Where we work with Sky is on Internet-connected devices. We’re happy to work on Internet-connected devices. We tend to work on smart TVs, but need broadband Internet for that.
“Broadband is getting faster in Nigeria, Tanzania, Kenya and South Africa – we can see the positive trendlines – so it’s more likely we will work with broadband Internet companies.”
Hastings is a firm believer in the idea that one content provider’s success does not depend on pushing another down.
“HBO has grown at the same time as we have, so can see our success doesn’t determine their success. What matters is amazing content with which the world falls in love.”
Click here to read about Netflix’s international expansion, and how the streaming service selects content for its platform.
Take these 5 steps to digital
By MARK WALKER, Associate Vice President for Sub-Saharan Africa at IDC Middle East, Africa and Turkey.
Digital transformation isn’t a buzz word because it sounds nice and looks good on the business CV. It is fundamental to long-term business success. IDC anticipates that 75% of enterprises will be on the path to digital transformation by 2027.
However, digital transformation is not a process that ticks a box and moves to the next item on the agenda – it is defined by the organisation’s shift towards a digitally empowered infrastructure and employee. It is an evolution across system, infrastructure, process, individual and leadership and should follow clear pathways to ensure sustainable success.
The nature of the enterprise has changed completely with the influence of digital, cloud and the Fourth Industrial Revolution (4IR), and success is reliant on strategic change.
There is a lot more ownership and transparency throughout the organisation and there is a responsibility that comes with that – employees want access to information, there has to be speed in knowledge, transactions and engagement,” he adds. “To ensure that the organisation evolves alongside digital and demand, it has to follow five very clear pathways to long-term, achievable success.
The first of these is to evaluate where the enterprise sits right now in terms of its digital journey. This will differ by organisation size and industry, as well as its reliance on technology. A smaller organisation that only needs a basic accounting function or the internet for email will have far different considerations to a small organisation that requires high-end technology to manage hedge funds or drive cloud solutions. The same comparisons apply to the enterprise-level organisation. The mining sector will have a completely different sub-set of technology requirements and infrastructure limitations to the retail or finance sectors.
Ultimately, every organisation, regardless of size or industry, is reliant on technology to grow or deliver customer service, but their digital transformation requirements are different. To ensure that investment into artificial intelligence (AI), machine learning, knowledge engines, automation and connectivity are accurately placed within the business and know exactly where the business is going.
The second step is to examine what the business wants to achieve. Again, the goals of the organisation over the long and short term will be entirely sector dependent, but it is essential that it examine what the competitive environment looks like and what influences customer expectations. This understanding will allow for the business to hone its digital requirements accordingly.
The third step is to match expectations to reality. You need to see how you can move your digital transformation strategy forward and what areas require prioritisation, what funding models will support your digital aspirations, and how this tie into what the market wants. Ultimately, every step of the process has to be prioritised to ensure
The fourth step is to look at the operational side of the process. This is as critical as any other aspect of the transformation strategy as it maps budget to skills to infrastructure in such a way as to ensure that any project delivers return on investment. Budget and funding are always top of mind when it comes to digital transformation – these are understandably key issues for the business. How will it benefit from the investment? How will it influence the customer experience? What impact will this have on the ongoing bottom line? These questions tie neatly into the fifth step in the process – the feedback loop.
This is often the forgotten step, but it is the most important. The feedback loop is critical to ensuring that the digital transformation process is achieving the right results, that the right metrics are in place, and that the needle is moving in the right direction. It is within this feedback loop that the organisation can consistently refine the process to ensure that it moves to each successive step with the right metrics in place.
There is also one final element that every organisation should have in place throughout its digital evolution. An element that many overlook – engagement. There must be a real desire to change, from the top of the organisation right down to the bottom, and an understanding of what it means to undertake this change and why it is essential. This is why this will be a key discussion at the 2019 IDC South Africa CIO Summit taking place in April this year. With this in place, the five steps to digital transformation will make sense and deliver the right results.