User identification methods using smart devices

Is it true that 2 paired gadgets can give out your data?

 The question is rhetorical. Contacts, correspondence, working moments, personal life, data about your health, archive of movements, etc. and all the devices connected to the smartphone can merge it all. All these devices perform different functions, with the help of which they collect different data about us. We will try to tell about them. But let’s start with the technology that connects all these devices to a smartphone or PC (laptop). Can also use Bluetooth to cause a denial of service. They can disable the device, block the smartphone from receiving or calling, drain the battery and steal your data. Apps on your phone can also use your Bluetooth connection to collect data and track your location. Bluetooth shows your location and thanks to Bluetooth encryption you can easily be hacked. Bluetooth can be used to track your location. This requires only two things: a device that is always using Bluetooth and a unique device ID.

How does it work? Two devices connected via Bluetooth recognize each other by exchanging information that can be thought of as an address. Most devices change it regularly, for example, when the connection is restored or when the batteries run out. But some devices, like fitness trackers, keep the same address no matter what. Attackers can use it as a unique identifier. Worst of all, such devices constantly transmit this signal to stay connected to the phone and provide accurate real-time results. Two devices connecting via Bluetooth must exchange cryptographic keys to establish a secure connection. But not all devices support long and secure encryption keys. Therefore, it is necessary to “talk” with each other to decide on the length of the key. Attackers intercept this process and force one of the devices to “offer” to use a weak encryption key that may be less than 1 byte. Once such a connection is established, a simple “brute force attack” can be used to break the encryption and begin observing the traffic exchanged between the devices.

      1. Bluetooth

Almost any two Bluetooth devices can connect to each other. Any detected Bluetooth device transmits the following information:

  • Name

  • Class

  • List of services

  • Technical information

When the two devices connect, they exchange a pre-shared secret key or link key. Each device stores this key to identify a “partner” device in the future.

Bluetooth is a universal minimum power protocol, operating at a frequency in the range from 2.4 to 2.485 GHz. Bluetooth devices create a so-called piconetwork, or very small network. A piconetwork has one master and up to seven active slaves. Since Bluetooth uses frequency hopping (frequency changes up to 1,600 times per second), these devices’ communication does not interfere with each other, as the chances of two devices using the same frequency are extremely small. The minimum Bluetooth range specification is 10 meters, but there is no limit to the coverage range that manufacturers can implement on their devices. Many devices have a coverage range of up to 100 meters. With the help of special antennas, we can extend the range even further.

How to protect yourself?

  1. Turn off Bluetooth from active search mode.

  2. Ideally, select passwords for each device and change them once every couple of months

  3. Do not neglect the rules of digital hygiene.

  4. Update the firmware and software on your devices regularly. One of the ways of hacking is to use “day one bugs”.

  5. Since smartwatches and fitness trackers are constantly exchanging information and synchronizing, it is necessary to check installed apps for various permissions, such as access to geolocation and phonebook, etc.

2. GPS

We don’t know if there is much to write here. GPS can be found not only in GPS trackers, but also in smart watches and fitness trackers.

GPS tracking is intuitive even for users who aren’t particularly involved in cybersecurity. The point is that most programs installed on your phone or other technology read your GPS data in the background. Determine where your phone is by sending a signal to a satellite that returns the exact geographic coordinates on Google Maps. In this way, large corporations collect a huge amount of data about you and store it on their servers.

Ideally, this data should be kept strictly confidential and should not go beyond the companies that collect it. But a perfect world does not exist and we perfectly understand that there are many options for how this data could accidentally end up in the wrong hands. Example – the Yandex company cooperates with the Russian FSB, and it will be happy to transfer all possible data about any user at the first request. This is just one example, there are other ways, starting from banal bribery of an employee, ending with hacking and downloading all the data of these companies. One way or another, personally, I would not really like a fellow major or any other “well-wishers” to know where I live, work, train or drink beer in the evening with friends. How to counteract this? I think you already guessed it, you simply turn off the geolocation tracking in every application, starting with Telegram, ending with an application for learning English, and turn it on only when necessary.

3. Accelerometer, gyroscope and microphones

A group of researchers from the Institute of Electrical and Electronics Engineers (IEEE) has developed the PinMe system, which allows, based on open data and information from various sensors of a smartphone, to track its location with an accuracy comparable to GPS. In this regard, the researchers call on gadget manufacturers to add a software solution that disables all sensors, not just GPS. Scientists have discovered a breach in the security of smartphones. By comparing information from the accelerometer and gyroscope with open data – maps and weather reports – they were able to determine the person’s location, route and mode of transport. To begin with, PinMe read information about the smartphone’s last IP address and network status to determine the last connection to Wi-Fi – this is how the program received a starting point for further work. The app then used an algorithm it had been “trained” by using machine learning to tell the difference between walking, driving, flying and other modes of locomotion. For this, data from sensors was used – the direction and speed of movement, the frequency of stops, as well as the height above sea level.

After determining the way of movement, PinMe included a new algorithm and began to compile the user’s route. OpenStreetMaps service was used to obtain navigation data. Google Maps helped determine the location by matching it with an elevation map. To specify the route, the program used the Weather Channel weather service: accurate information about temperature and air pressure helps to level the influence of weather conditions on the information collected by the sensors.

SonarSnoop is a finger movement tracking technique to determine the phone’s unlock code, based on the principle of sonar – the top and bottom speakers of the smartphone generate inaudible vibrations, and the built-in microphones pick them up to analyze the presence of hand-reflected vibrations.
An accelerometer is a sensor that measures acceleration (amount of change in speed).
The gyroscope in the phone is a special sensor. It is designed to determine the position of the device in space.

In the illustration below, the route tracked by PinMe is marked in green and yellow – traffic by car and on foot, in black – the route built according to GPS data

The accelerometer will help you find out the password you type on your computer. Imagine that you are typing on a keyboard (not touch, but regular), and the phone is placed on a table next to it. The phone’s accelerometer (acceleration sensor) can pick up vibrations from keystrokes. A gyroscope can denoise this data. With the help of a special program, you can analyze the vibrations and determine which keys they belong to. The program compares the vibrations in pairs and understands which key is located further from the phone and which is closer to it, and thus “restores” all or most of the keyboard. As you can see, the familiar gadgets that expand and complement the functionality of our smartphone can also be sources of “draining” personal data. Yes, we have a data transmission technology that is not the most reliable. We have many sensors that can help both us and the attacker. But we can reduce the risk: we update the software, use complex passwords and change them periodically, turn off the active search for Wi-Fi and Bluetooth, monitor the permissions of applications and programs, and do not forget about our own information hygiene.

Glory to Ukraine!

Found an error?
If you find an error, take a screenshot and send it to the bot.