Weekly Threat Report - 13th July 2018
Report's are drawn from recent open source reporting, see the latest report here:
Another fitness tracker reveals personal information
Researchers at citizen journalist website Bellingcat and Dutch news site De Correspondent have revealed that unauthorised individuals could use the Polar fitness tracking app to track users’ activities, even if privacy settings appeared to be locked down.
Polar have since published a statement and FAQ for its users.
This follows similar revelations involving the Strava application in January 2018, where activity in and around military sites was identified. In this case, Polar users are only affected if they have opted-in to also use the extra Polar Flow application.
The researchers reported that the social layer of the Polar Flow application provided more information than was available via Strava. Researchers were able to track a user’s exercise route and link it to home address information and social media profiles.
Polar have since suspended the Global Activity Map functionality, which had been in use since 2014, due to privacy concerns. According to Polar, the application is used by ‘millions of users’.
There are obvious health benefits in using devices to better plan and track individual fitness programs. However, users should consider how they share that data including which social services they choose to link that data with.
When using a fitness tracker, users should consider when and where to use it and which product offers the best privacy options. They should also ensure those privacy options are enabled.
Timehop data breach
This month, Timehop, an app that collects and reposts photographs and posts on social media sites such as Twitter, Facebook and Instagram, suffered a data breach.
21 million users were affected, having their names and email addresses stolen. Almost five million users may also have had their phone numbers stolen, although Timehop have said they have detected no unauthorised access to photos or posts at any point.
The breach reportedly occurred from access to the company’s cloud computing provider using stolen credentials in December 2017 and early 2018, with the theft of data happening in a two-hour window on 4th July before access was stopped.
Timehop has made it clear that this breach was enabled by the lack of two-factor authentication (2FA) on one of their cloud computing accounts, which has now been added. Users will also have to re-authenticate the Timehop app on their social media accounts next time they use it.
Due to the theft of phone numbers and dates of birth, users of Timehop should be aware of the potential for unauthorised access to other accounts which are secured using these details as security factors.
The NCSC has issued guidance on both cloud security and the use of 2FA to protect online services.