CG - Weaponizing Your Fitness Tracker Against You

all right everybody thank you for being here um it's been a great it's been a great conference so far you're about to hear an amazing talk um wendy is amazing she's one of my favorite people and she's going to give you an awesome talk today quick couple pieces of housekeeping uh number one silence your cell phones we don't want to hear them you don't want to hear them um please no recording because we are recording no you know please don't you don't need to um beside that we're gonna if there are time there's time for questions at the end i will come to you with this lovely scepter of questioning and you will speak into it so that this can go out on the youtube stream if there's not time for questions wendy will be happy to take your questions off the air which is to say out of this room so the next people can come by with no further ado the woman you come to see wendy knocks everett [Music] okay hi everyone uh you can all hear me cool so i'm going to give a talk that i proposed in uh in may of this year and i was like hopefully this is going to be completely irrelevant it'll just be like a cool little you know interesting on the side um as everybody's aware that it's not actually a situation um so i am or sorry there's been a lot of um attention paid to this sort of stuff when like people are all of a sudden realizing like that rights that we thought were pretty well established and our privacy is not uh as sacristan as we had thought and so i am a fitness tracker user i had a fitbit in 2010 um i still wear an apple watch i have a peloton bike i have a scale at home that talks to wi-fi i've got a bunch of examples in here for my own personal data and i'm a cso at a startup in the healthcare space i know a ton about hipaa probably far more about hipaa than i would ever want to know and i've done some threat models of fitness trackers and so forth over the years looking at sort of privacy impacts and so forth and so this talk is going to go through a lot of things you're going to hear me talk a bunch about data that fitness trackers and so forth collect and one thing i'm going to actually talk a lot about is that this talk is somewhat irrelevant uh law enforcement is not actually yet using a lot of this data it's so important that we realize what gets collected and what the protections are but this has not really been used in any prosecution so far this talk is a little bit more speculative and to inform people and to have you think about things i am a lawyer i am not your lawyer but i do want you to take one piece of advice away from this which is do not ever consent to the search of a phone or a computer or anything anytime you are pulled over by police or so forth the one thing you say is i want uh to talk to my attorney i do not consent to the search of this car i do not consent to the search of this phone and so as i mentioned we're going to talk a lot about all the very personal data that you know your apple watch and so forth collect and it's still not really being used this obviously could change things are very fast moving i've had to change this talk a couple times over the last two days because of things that are happening but so far it's been all text messages and searches and so forth so i'm going to do a very little bit on this i actually did a talk at b-sides in 2018 where i went very deep into how warrants work how wiretaps work how prtts work and so if you're interested in this please go find that talk happy to answer questions about it if you go watch it and email me or so forth but i'll just give you a little bit of a flavor of what this is when police are going after the search history and text messages and so forth so a subpoena is one of the lowest burdens of proof essentially um but it doesn't give you as much information it gives you metadata the fourth amendment obviously is written in colonial times and so they thought about this is like well it's not that private the addressing information on the outside of an envelope everybody can see it and so if you just want to get to and from information like we shouldn't need that high of a burden of proof um obviously anybody who studies stuff like world war ii with the enigma and so forth you can see that network analysis and so forth will actually give you a ton of information but we also have computers now to help us with that but generally subpoena is a lower standard less information less privacy protection warrants give you full content and so there's a higher burden for that these are mostly what are used if someone's going to get text messages and so forth and you need to show probable cause that a crime has been committed in order to get this full content data related to that uh law enforcement has started realizing there's all this cool new tech out there with all this juicy information that they could get so they've started using uh keyword warrants which are very problematic from a civil liberties standpoint you're not starting with a person you're saying i want to find everybody who googled for um like this abortion drug i want to find everybody who googled for abortion clinics in a certain state and so you're basically fishing for your suspects i am going to tweet out my slides so there's a lot of urls and links in here um i am at 1dck on twitter so you can find the slides after so if you want to feel free to take pictures of the slides up here but i will tweet them and geofence warrants are also very problematic um these are somewhat similar to the cell site location information warrants the police have done giving everybody that connected to a particular cell tower um so sometimes they're pulling it from that sometimes they're asking google for people who are in a certain area these were used a lot in the january 6 prosecution who connected to certain wi-fi endpoints within the capitol building and so forth also problematic from a civil liberties standpoint because you're not starting with a suspect you're like let me throw out a digital uh fishing net and see what sort of suspects might come up in it and wiretaps which is what i have the most legal experience with um are very similar to warrants for stored content and that you get the full content from them um the federal wiretap statutes say wiretaps can only be used for certain crimes if you go look that up it's a huge laundry list of crimes there's a lot in there and de-orders there's something else that i have a ton of experience with this is basically subscriber information so you can say you know i'm going to do a subpoena to get it to and from for my communication and i'm going to do a de-order for the subscriber information from that and basically they will do hops along a network to see who's talking to who and who these people actually are google is one of the companies that tries to be pretty open about what sort of data they provide you can go to the google transparency report center and they tell you for all these various types of law enforcement orders that i just walked through exactly what sort of information they're going to hand over uh all of that is kind of cool i'm a bit of a wiretap nerd because i worked on them and whatever i gotta say a lot of what's happening has nothing to do with wiretaps they don't take the time to get warrants uh they capture cell phones and they ask for permission to search the cell phone and then they take your cell phone um and do a forensic analysis on it there's a lot of tools out there that will basically take phones and extract text messages extract your location history i am not an expert on this stuff there's a lot of people around who are my friend rihanna wrote a really great bed in the hill recently talking about how the federal government really wants to be serious about helping to protect women they could say that federal law enforcement will not help with these cell phone digital forensics searches because right now this is pretty much happening and so as i mentioned um people will they will get the cell phones and ask for consent to search it um and so consent bypasses all the probable cause and other protections that are in place for warrants and wiretaps and so forth so very much do not ever consent to a search of a device even if you are positive you are innocent just do not consent okay so i promise we're going to talk about fitness trackers and i've just been talking to you about warrants and keywords and so forth so anytime we talk about fitness trackers and health people go well the us has vertical sector privacy um and health is actually one of the areas where we have a vertical sector of privacy law called hipaa um hipaa does not stand for like health information privacy or whatever it stands for health information sorry health insurance portability and accountability act originally had nothing really to do with privacy there have been some add-ons with high-tech and so forth so i'm going to go very lightly over this it protects information that originates from doctors from hospitals from insurance companies and so forth it imposes some very minimal security requirements so i tell my dev team you know we need to do this for hipaa but we really need to do this to be secure like the hipaa requirements are pretty low key it has a bunch of administrative and technical safeguards in place like your stuff has to be encrypted oh dear so we had a uh outrageous speaker request for all the hugs so we formed a hog squad oh amazing ready thanks god everybody [Music] talking about hipaa and getting a hub squad is maybe the bestest cool so why does all this matter um what use is hipaa hipaa really is uh to protect your health information so that if you work at a hospital and you have access to medical records you can't just go splunking through the medical records to see you know does my neighbor have a particular disease why was a celebrity in the hospital you can only access hipaa protected and from health information if you're authorized to access it aka providing care so forth there are a ton of exceptions in there around law enforcement though so since we just talked about warrants and wiretaps we'll go quickly through some of these these are all on the hhs website if you want to go look at them in more detail so you can just get a subpoena for this information like we talked about um to identify or locate a fugitive uh to basically uh give over information about a victim of a crime to help prosecute it uh to alert law enforcement that maybe someone was assaulted and they've died and so now it's a murder suspect or murder investigation um in good faith if you think a crime has occurred at the hospital there's also a huge exception for like protecting the president um so someone goes to a doctor and says i want to shoot the president um they're allowed to go alert secret service that sort of stuff and hhs has recently released some guidance around disclosures around reproductive care essentially says if you're a nurse and you suspect someone had a miscarriage as suspicious you can't just on your own go and report this to the police however there is still all the law enforcement exceptions in place so it is still valid under hipaa um for basically law enforcement to send a warrant to a hospital to ask for information if they think it's a crime in that area so is all our fitness tracker data like the fitbit and the apple watch or whatever protected by this great set of protections no basically fitness tracker information is created by us and we are not covered entities and so therefore hipaa is pretty much off to the side um so it's a nice vertical sector privacy law that gives some safeguards do not apply to fitness tracker data almost always are there some exceptions like if you have a pacemaker um or you're wearing an insulin pump or something at the like under a doctor's otters the information from that is still under hipaa but not your fitbit or your apple watch so what is a fitness tracker these days like we say oh you know a fitbit that certainly one that's sort of the classic fitness tracker my watch tracks you know oxygen saturation my heartbeat and so forth uh my phone if you keep your phone in your pocket while you're walking around it will keep track of like how often are both your feet on the ground um how fast you go up and down stairs i have this scale at home and it reports all sorts of stuff up into the cloud for me i have a peloton because i also stopped going to the gym during the pandemic and i have one of these and it talks to apple health and google fit so the fitness trackers know a lot about uh you know body attributes about us it's our heart rate and so forth they also know some other stuff that law enforcement might be interested in where you were is a really big one and so this is not actually an example from a fitness tracker but i thought this was like a nice tweet that sort of summed up this is from the recent thing where the tim hortons app in canada got in trouble for tracking when people were coming and going from work and from home and so this is a sort of information that's just available on your phone if you have an app and you've given the application access there's also a really famous example in this area of strava leaking the private military bases um people would scroll around on the map and be looking these really empty desolate areas in the middle east and go why is there like a little square with a whole bunch of people running and it turns out those are secret forces bases and they absolutely did not intend to do this uh you know they're very smart people but they're not you know engineers and they didn't maybe notice that this stuff was by default public uh one that was very disturbing to me is one that just came out somewhat recently um strava's flyby they're like well okay part of the problem with leaking the military bases was that you could see stuff that wasn't close to you so we'll make sure that all the location stuff is near you so if you run past someone maybe you want to find out what the running route is it turns out a lot of people start and end their runs at their home so you could find someone's home address by running near them they didn't really learn anything from all of this they made some default privacy changes uh say you know you'd have to upload runs nearby this is from june i just you know had to pull this after i submitted this talk because you can upload completely fake fitness data into strava showing like completely unreasonable times and it will show you running routes near you and someone used it to discover a bunch of secret military sites in israel so location stuff can be very sensitive if you don't think carefully about how it can be abused apple health also tracks location they're a little bit more privacy protective this is from a walk i did near my house and you can see there is a map there's not really any way for me to share that map publicly so it's in my apple health uh if you use peloton and you do outside walks with them they have maps and they will allow you to share it publicly so it sort of go through there but that's not by default public so it's a little better but the information is still there if law enforcement excuse me wanted to submit a warrant for it and find this tracker stuff is super uh common for people wanting to track their bike routes and their running routes and so forth and so there's a lot of stuff on the websites for these tools that explain to you how to turn it on how do i use this to track things so in addition to the gps as we mentioned there's a lot of private health information about people's bodies that these trackers have and that they store one very interesting fitness tracker is the aura ring and they have a temperature sensor in them i will i'm sure most of the women in this room know this but for the guys your body temperature changes when you ovulate and so body temperature actually can be a very good indicator of fertility are you pregnant are you not it's different for every woman but overall and so when i was talking about this with some friends they're like oh but aura sure the tracking your temperature but you have to very carefully take your temperature if you're trying to get pregnant it's probably not accurate enough it's not really a real risk so era is like oh no here's how you can use it to track if you're ovulating uh let us tell you how you do it let us even give you some scientific studies to show exactly how precise it is um so as i said i don't think anybody's actually using this in court so far but if you wanted to bring this evidence in or is going to help you authenticate that data to show possibly that someone actually was ovulating stopped ovulating therefore maybe was pregnant uh so in addition to just things like aura trying to guess if you're ovulating or not because uh of your body temperature there's a ton of support in these apps for cycle tracking that's a little bit more manual there was a huge wave of articles in may june about should we be using these uh cycle apps should we delete it do we need to delete all this data um that can actually have serious health implications for a lot of women who really need to track their cycle the controversies around these actually even predates uh what happened in may this ftc consent order is from january 2011. sorry 2021 i can totally talk um flow was releasing a lot of data to advertisers and not really letting their users know that like hey you're putting this very sensitive information into the app and you know we're sending it to advertisers and apple health and google fit finally woke up i realize a lot of women use fitness trackers and added cycle tracking just directly as like a primary uh sort of thing that can be tracked through those platforms and i think that i took this picture from google fit i actually looking at it i don't remember this is apple health or google fit but it's pretty somewhere between the two of them you can just go in and enter the data so i've been tossing around a lot of terms about apple health and so forth these are the four really biggest players in this field and they all inter-operate so when i ride on my peloton i send the data to apple health and then it sends it to google fit so they all have apis and work and so your data's kind of replicating out among there one of the other reasons why these are sort of the big ones in the field is that each one of these also supports a lot of third-party apps um these are things like the peloton is actually a third-party app in this uh strava is somewhat a third-party app on uh you know fitbit and so forth and there's tons of other different apps you can get to plug in like sleep trackers meditation so forth there's also wildly bettering quality this is my favorite fitbit app like we came across this and we were doing you know looking over various apps in the field this app literally does nothing but put a roach on your fitbit watch and have it dance around i at first saw this i was like oh this is like one of those flashlight mobile apps that really steals your contacts but it appears not to it actually doesn't ask for very many permissions it literally just puts a road check on your watch and dance around but if it wanted to it could have access to all of your health information there's a lot of trust that's happening here and the way that this is governed in the google health and google fit apple health so forth sort of space is through permissions and there's wildly varying permission models among these apple health is really good in that it gives you the chance to app by app share what data goes so this is my scale asking for permissions i'm unsure why my skill needs my body temperature uh but i have it turned on because i was too lazy to turn it off i could individually toggle these off and on it also allows it so you can see all the stuff again i'm