You Can Run, But You Can’t Hide

With only the odd break, I have been a jogger for over 25 years.  I don’t go far and I don’t go fast but I am regular. Four to five times a week I slip on my running shoes and hit the street (or basement treadmill in the winter).  Some of the many things I like about jogging is that it takes little in fancy equipment, you can do it any time, you don’t have to go somewhere or book something to do it, it’s simple, and you don’t have to be seen wearing some mega corporation logo (which I hate to do).  So, I  surprised myself earlier this week when I let myself get sucked into buying a matching electronic pedometer when I purchased a new pair of sneakers. Not just any pedometer, but one from the marketing monsters Nike and Apple.

Nike + Ipod = distraction nike ipod display

Nike + iPod = Personal Area Network

There are two pieces to the kit. A sensor/transmitter slips into a specially built cavity in the left-shoe foot-bed.  The sensor uses a piezoelectric accelerometer and a proprietary 2.4GHz radio transmitter. The non-replaceable battery is supposed to be good for 1,000 hours of active use (it goes to sleep when still). The receiver is a small plastic rectangle that slots into a generation 2 or 3 iPod nano.  Any significant movement of the sensor results in a link being established with the receiver and your in business. You can upload your stats to a website and trend your workouts, compete with others, etc. They have sold hundreds of thousands of these things since the launch in the summer of 2006. I must admit, it has been fun to play with as I jogged. I could see real-time updates of my speed, distance and calories.

Peek-a-Boo, I see You

Having bought the gizmo spontaneously without my usual compulsive pre-purchase research on the internet, I spent some time shortly after my first workout to see what’s what with the product.  Cutting through the marketing clutter, I came across a real eye-opener.  Shortly after it’s launch, some enterprising young engineers from the University of Washington figured out that the device had some serious security flaws. They figured out that the transmitter did not establish an encrypted channel to the receiver, that the transmitter would send signals even though the receiver was not in range and that multiple transmitters could be detected by a single receiver.  Using low-cost electronics equipment, they hacked the receiver so that could pick up any transmitter in range and display the transmitter’s unique ID on a computer.

cheap Wifi tracking device for Nike+ipod Google map of nike+ipod people

Follow the bouncing jogger

$200 Distributed Surveillance System

Not content with a single short-range detector, then hooked up some cheap electronics to a linux board and added a WiFi wireless antenna (total cost < $200) so that they could show how a bad-guy could deploy lots of these things around a campus and detect nike+iPod transmitters as they came in range.  Finally, to add salt to the wound, they constructed a website that displays the whereabouts of all the nike+iPod transmitters detected by their grid of WiFi devices onto a Google Map. The result of this exploit is a poor-man’s surveillance system that can track and trend where you are and where you have been.

A lot of attention has been paid to the privacy issues associated with unsecured 802.11 networks, RFID tags and open Bluetooth networks.  These clever kids from Seattle have demonstrated that even proprietary consumer wireless devices can present a security nightmare in the wrong hands. This cautionary tale should give us folks in the telehealth business pause. We have to think about the security posture of the many wireless telehomecare bio-telemetry devices that will be pouring into the market in the coming years. What do we need to do to insure that the data from these devices never finds their way onto a Google Map?

For more information on the hack, see: http://tinyurl.com/ufq5c .