Tuesday, January 30, 2018

OPSEC and the Internet of Things

This time, the things are Fitbits and other personal data trackers. Fitbits don't just track your running, they report it. It's data you can use personally to reach new fitness goals. And your personal information is removed, but the aggregated data is published online.

Which means anyone can see it.

This is a screenshot of Kandahar from the Strava website. The running track stands out of the background in what the company calls a heat map.


Now Kandahar might not be revealing much, because everyone knows the U.S. is there. But what about a lot of Fitbit jogging activity near a suspected CIA compound in Somalia? Or the guys that are monitoring all their daily activity and wear their Fitbit on patrols or while working outside their bases?

It's clearly detailed enough to make it usable intelligence for an enemy.

Here's the Washington Post article.

5 comments:

Old NFO said...

Grr... And you know damn well they are using that data...

Matt W said...

Not only that, but one of the articles on this issue that used a Tawainese missile complex as an example stated that individual users could be singled out of a specific heatmap. Then other "locations" that the same user has been logged at could be pulled up. The missile complex that was pictured in the article is apparently somewhat public knowledge, but the biggest concern would be finding out some of those military users have been to other unknown and previously secret sites.

https://www.thedailybeast.com/strava-fitness-tracker-app-exposes-taiwans-missile-command-center

Borepatch said...

One of the hardest problems in computer security is Covert Channels, where information leaks in a way that isn't intended or desired. The problem is universal - Information leaks, pretty much from everywhere and all the time. It may be that it's simply impossible to design a system that doesn't have covert channels. My suspicion is that this is particularly true when there's an IP address involved.

DaveS said...
This comment has been removed by the author.
McChuck said...

You're never going to keep, shall we call them unsophisticated people, from doing silly or moronic things. I and other security professionals (of all disciplines) have had the devil of a time keeping devices out of SCIFs. "But my fitbit shouldn't count! I need my iPhone so I can ask Siri questions!"

There are technical threats everywhere. But they are dwarfed by the general opsec issues. Who has the contract to clean the SCIF? The safe house? Does anybody really monitor them, or even stop talking and cover things while the cleaning lady is in the room? When was the last time they were background checked? Are these even the same people as were checked then? How about their families?

Yes, you do need to put everything away and lock the safe, then turn on the alarm, then lock the doors when you leave. No, you're not allowed to keep the safe next to the front door on coasters so the cleaning lady can move it out of her way. No, you're not supposed to take selfies in front of the safehouse and post them on Bookface.

Oh - The CIA compound in Somalia is the place with all the white men with guns and polo shirts. You can always tell the American agents because they're the only people in country who jog for fun. Just saying.