Researchers have shown how simple it is to monitor and record Bluetooth low energy signals transmitted by phones and wearable devices, allowing the user to be easily identified and tracked.
Researchers at Context Information Security have demonstrated how easy it is to monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, wearable devices and iBeacons, including the iPhone and leading fitness monitors, raising concerns about privacy and confidentiality. The researchers have even developed an Android app that scans, detects and logs wearable devices.
The app can be downloaded along with a detailed blog explaining the research at: www.contextis.co.uk/resources/blog/emergence-bluetooth-low-energy
The Context findings follow recent reports that soldiers in the People’s Liberation Army of China have been warned against using wearables to restrict the possibility of cyber-security loopholes. “Many people wearing fitness devices don’t realise that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott Lester, a senior researcher at Context. “Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 metres in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.”
Bluetooth Low Energy (BLE) was released in 2010 specifically for a range of new applications that rely on constantly transmitting signals without draining the battery. Like other network protocols it relies on identifying devices by their MAC addresses; but while most BLE devices have a random MAC address, Context researchers found that in most cases the MAC address doesn’t change. “My own fitness tracker has had the same MAC address since we started the investigation, even though it’s completely run out of battery once,” said Lester. Sometimes the transmitted packets also contain the device name, which may be unique, such as the ‘Garmin Vivosmart #12345678′, or even give the name of the user, such as ‘Scott’s Watch’.
BLE is also increasingly used in mobile phones and is supported by iOS 5 and later, Windows Phone 8.1, Windows 8, Android 4.3 and later, as well as the BlackBerry 10. The Bluetooth Special Interest Group (SIG) has predicted that, “By 2018, more than 90 percent of Bluetooth enabled smartphones are expected to be Smart Ready devices,” supporting BLE; while the number of Bluetooth enabled passengers cars is also predicted to grow over to 50 million by 2016.
iBeacons, which also transmit BLE packets in order to identify a location, are already used in Apple Stores to tailor notifications to visiting customers, while BA and Virgin use iBeacons with their boarding pass apps to welcome passengers walking into the lounge with the WiFi password. House of Fraser is also trialling iBeacons on manikins to allow customers to look at the clothes and their prices on their phones. The current model for iBeacons is that they should not be invasive; you have to be running the application already, for it to detect and respond to a beacon. But the researchers have concerns: “It doesn’t take much imagination to think of a phone manufacturer providing handsets with an iBeacon application already installed, so your phone alerts you with sales notifications when you walk past certain shops,” said Lester.
The current version 4.2 of the Bluetooth Core Specification makes it possible for BLE to implement public key encryption and keep packet sizes down, while also supporting different authentication schemes. “Many BLE devices simply can’t support authentication and many of the products we have looked at don’t implement encryption, as this would significantly reduce battery life and increase the complexity of the application,” said Lester.
“It is clear that BLE is a powerful technology, which is increasingly being put to a wide range of uses,” concludes Context’s Lester. “While the ability to detect and track devices may not present a serious risk in itself, it certainly has the potential to compromise privacy and could be part of a wider social engineering threat. It is also yet another demonstration of the lack of thought that goes into security when companies are in a rush to get new technology products to market.”
* Follow Gadget on Twitter on @GadgetZA
Homemation creates comfort through smart homes
Home automation is more than just turning the lights on and off, Homemation’s Gedaliah Tobias tells BRYAN TURNER
The world is taking interior design notes from the Danish, in a style of living called hygge (pronounced hoo-gah). Its meaning varies from person to person: some see hygge as a warm fire on a cold winter’s night, others see it as a cup of hot coffee in the morning. The amount of “good feelings” one gets from these relaxing activities depends on what one values as indulgent.
But how does technology fit into this “art of feeling good”?
We asked Homemation marketing manager Gedaliah Tobias to take us through a fully automated home of the future and show us how automation creates comfort and good feelings.
“The house is powered by Control4, which you can think of as the brain of the smart home,” says Tobias. “It controls everything from the aircon to smart vacuum cleaners.”
The home of the future is secured by a connected lock. It acts like other locks with keypads and includes a key in the event of a power interruption. The keypad is especially useful to those who want to provide temporary access to visitors, staff, or simply kids who might lose their parents’ house keys.
“The keypad is especially useful for temporary access,” says Tobias. “For example, if you have a garden service that needs to use the home for the day, they can be given a code that only turns off the perimeter alarm beams in the garden for the day and time. If that code is used outside of the day and time range, users can set up alerts for their armed response to be alerted. This type of smart access boosts security.”
Once inside, one is greeted with a “scene” – a type of recipe for electronic success. The scene starts by turning on the lights, then by alerting the user to disarm the alarm. After the alarm is disarmed, the user can start another more complicated scene.
“Users can request customised scene buttons,” says Tobias. “For example, if I press the ‘Dinner call’ scene, the lights start to flash in the bedroom, there’s an announcement from the smart speakers, the blinds start to come down, the lighting is shifted to the dinner table. Shifting focus with lighting creates a mood to bring the house together for dinner.”
Homemation creates these customised scene buttons to enable users to control their homes without having to use another device. In addition to scene buttons, there are several ways to control the smart home.
“Everything in the smart home is controllable from your phone, the touchscreens around the house, the TV, and the dedicated remote control. Everyone is different, so having multiple ways to control the house is a huge value add.”
We ask Tobias where Homemation recommends non-smart home users should start on their smart home journey.
“Before anything, the Control4 infrastructure needs to be set up. This involves a lot of communications and electrical cabling to be run to different areas of the home to enable connectivity throughout the home. After the infrastructure is set up, the system is ready for smart home devices, like lighting and sound.”
“For new smart home users, the best bang for their buck would be to start with lighting once the infrastructure is set up. Taking it one step at a time is wise.”
• For more information, visit https://www.homemation.co.za/
Face App grabs SA attention
South Africans generated more than 100 000 search queries for “Face App” on Wednesday, while only generating 50 000 for “Mandela Day”. The Internet wentcrazy over the two-year-old app, which uses artificial intelligence to create a rendering of what users might look like in a few decades. Face App went viral as users posted their aged likenesses on social media in the #faceappchallenge. Privacy experts, however, warned that the app (made in Russia) may pose a threat to users’ privacy as it stores photos on its servers, with US Senate minority leader, Chuck Schumer, appealing to the FBI to investigate the app.
In other top searches on Google this week, “Johnny Clegg” garnered more than 500 000 search queries on Tuesday as the news of his passing broke. The ‘White Zulu’ of Juluka and Savuka fame was an internationally acclaimed musician who was also an important figure in the fight against apartheid. Tributes to Clegg have been flooding media and social media over the past couple of days. Clegg succumbed to pancreatic cancer at the age of 66.
More than 200 000 search queries were generated for “Mark Batchelor” on Monday after the former soccer star was brutally gunned down outside his Olivedale home in Gauteng. Investigations into the shooting are still ongoing. Batchelor played for Orlando Pirates, Wits University, Kaizer Chiefs, Mamelodi Sundowns, Moroka Swallows and Bafana Bafana.
“Jacob Zuma” also garnered more than 100 000 search queries on Monday as he made his first, much-anticipated appearance in front of the Zondo Commission on state capture.
On Sunday “Macdonald Ndou” picked up more than 10 000 search queries after reports of theMuvhango actor’s arrest made the rounds. Ndou was held on various charges including extortion and kidnapping. The Hawks have reportedly provisionally withdrawn charges against the TV star, but a spokesperson said the decision to withdraw does not mean the charges will not be reinstated.
“Serena Williams” garnered more than 50 000 searches on Saturday as the tennis superstar suffered a 6-2, 6-2 defeat against Simona Halep in a Wimbledon final that lasted just 56 minutes. Williams later told Agence France Presse, “She [Halep] played out of her mind” and “I was like a deer in headlights”.
Last Friday, South Africans produced more than 20 000 search queries for “Duduzane Zuma” as the Randburg Magistrates Court found the former first son not guilty of a charge of culpable homicide. In February 2014, Zuma was involved in a car crash that took the life of Phumzile Dube when his vehicle crashed into the taxi she was travelling in.
Search trends information is gleaned from data collated by Google based on what South Africans have been searching for and asking Google. Google processes more than 40 000 search queries every second. This translates to more than a billion searches per day and 1.2 trillion searches per year, worldwide. Live Google search trends data is available at https://www.google.co.za/trends/hottrends#pn=p40