10 Ways Wearable Devices Are Spying on You

By Ava McKinneyOnline Safety

Mobile Paranoia: 10 Facts About How Wearable Devices Are Spying on You

For twenty-five years, hackers have been sounding the alarm: our private lives, privacy, right to anonymity, and the confidentiality of our communications are under attack—and the intensity only increases each year. The era of total surveillance is at our doorstep, but most people aren’t concerned—even Edward Snowden’s shocking revelations are seen by the masses as just another passing scandal. So what’s left for us, the hackers? To inform. At security conferences, experts discuss ever more sophisticated threats. Here, we’ve selected ten reports highlighting the latest trends in mobile espionage.

1. The Gyroscope That Listens In

Modern smartphones are packed with sensors that enable rich user interfaces. While generally useful, these sensors can (sometimes unintentionally) leak sensitive information. Risks associated with microphones, cameras, and GPS are well-known, but even gyroscopes and accelerometers can be dangerous. A simple Java applet on a website can measure and record their readings.

What’s the risk? Access to the gyroscope and accelerometer allows attackers to identify users by their walking patterns, read keystrokes typed on a nearby keyboard, and even eavesdrop on conversations—using the gyroscope as a crude microphone. Detailed instructions on how to do this are publicly available.

2. The Battery That Rats You Out

“The battery? Seriously? What does my phone’s battery have to do with anything?” Calm down, let’s start from the beginning. Have you ever wondered how your phone’s battery knows when to stop charging, even if the phone is off? Modern batteries have built-in microcomputers that communicate with the charger and the phone. The smart battery’s management system (SBS) can be fully reprogrammed.

This feature is meant to help the SBS more accurately measure battery parameters and adapt charging algorithms. But if an attacker changes the microcomputer’s operation, it could cause the battery to overheat or even catch fire. Worse, an attacker with access to the smart battery’s microcomputer could monitor trusted operations with the phone’s crypto chip, since the battery communicates with the OS over a “trusted channel.”

3. Tell Me Your Phone’s Power Usage, and I’ll Tell You Where You Are

Modern mobile platforms like Android allow apps to access the phone’s overall power consumption. This information is considered harmless, so no special permissions are required. But by simply reading the phone’s power usage for a few minutes, it’s possible to determine the user’s location. Although power consumption data is noisy due to many components and apps, modern machine learning algorithms can filter out the noise and accurately pinpoint the phone’s location. Detailed instructions are publicly available.

4. Wi-Fi Lip Reading

Wi-Fi signals can “see” people’s movements and locations and even “hear” their conversations—even if they aren’t carrying any electronics. This is possible thanks to advanced radio mapping techniques: coarse mapping allows “seeing,” while fine mapping enables “hearing” (even multiple people at once).

Wi-Fi “hearing” works by profiling mouth movements. The Wi-Fi signal detects the position of lips, teeth, and tongue. Since radio signals pass through walls, Wi-Fi can “hear” conversations even from another room. All it needs is to find a person’s mouth (and not confuse it with a blinking eye). Detailed instructions on how to harness Wi-Fi for this purpose (using machine learning and wavelet transforms) are publicly available.

5. Electromagnetic Fields: The Ultimate Snitch

Indoor localization using a smartphone’s detection of electromagnetic fields (“magnetic fingerprints”) is a hot topic. Each room has a unique electromagnetic fingerprint, determined by natural and artificial factors like steel frames or electrical wiring. These profiles can be used for indoor localization and are gradually replacing Wi-Fi mapping because they’re less energy-intensive—no extra equipment is needed, just the smartphone.

Critical Comment by 84ckf1r3: Most of these methods lack practical accuracy due to interference, low sampling rates, and other physical limitations. Machine learning and filtering aren’t all-powerful. For example, Wi-Fi signal analysis can estimate the number of moving people behind a wall, but stationary people often blend in with furniture. It’s nearly impossible to determine their height or articulation. Battery management systems are too primitive to compromise cryptographic keys. In short, taking these methods beyond proof-of-concept is extremely difficult—Shannon’s “Mathematical Theory of Communication” reminds us that you can’t reconstruct a complex signal from simple side signals. For example, you can estimate a train’s speed from the sound of its wheels, but not what radio station a passenger is listening to or what’s in their luggage.

6. RFID Tags: An Old Threat, Reinvented

RFID chips—tiny computer chips now smaller than a grain of sand—are a well-known privacy risk. Thieves can walk around cities with scanners, searching for chipped documents to steal. With cheap equipment, RFID can be read from up to 20 meters away.

Retailers can also track you: every product with an RFID tag has a unique ID, which can be linked to you (for example, by scanning your credit card). RFID chips can be read through clothing, wallets, or backpacks—without your knowledge or consent. Consumers can’t tell which products contain RFID chips, as they can be hidden in clothing seams, between cardboard layers, or molded into plastic. Antennas can now be printed with conductive ink, making RFID chips nearly invisible. Some companies are even designing packaging that acts as its own antenna. Soon, consumers may have no way to know if a product contains an RFID tag.

7. The Ultrasonic Conspiracy: uBeacons

The ultrasonic tracking ecosystem (uBeacons) is a relatively new technology using audio beacons, inaudible to humans, to track users and devices. uBeacons are high-frequency audio signals detected by most commercial speakers and microphones. Marketers love this technology because it allows cross-device tracking.

For example, if someone watches a TV ad and then browses the web on their phone, advertisers can show targeted ads. uBeacons can be embedded in websites or TV ads and collected by advertising SDKs in smartphone apps. The uXDT framework, installed on a user’s device, listens for these ultrasonic signals in the background. When it detects a signal, it extracts a unique ad ID and reports it—along with device and user identifiers—to the advertiser, who then targets the user with personalized ads. Sometimes, app developers may not even know that an ultrasonic beacon is hidden in their project, especially if they used a “free SDK” that secretly included it.

8. The Enemy in Your Fridge (and Bookshelf)

In 1999, MIT launched the Auto-ID project to create a “physically connected world” where every item is inventoried, cataloged, and tracked. Today, RFID tags as small as 0.3 mm (thinner than a human hair) can be placed in banknotes, allowing authorities to track cash transactions and eliminate anonymous exchanges.

“Smart fridges that report their contents to the supermarket.” “Interactive TV that selects ads based on your fridge’s contents.” This is today’s reality. Auto-ID, combined with RFID scanners in bookshelves (“smart shelves”), can provide exhaustive information about consumer behavior. Sometimes, these scanners are installed in household items without the consumer’s knowledge.

If you don’t have any RFID microchips at home or in your bag, you’re considered suspicious—a potential terrorist. Today, government agencies are seriously considering digitizing every aspect of human life “to fight terrorism” by tracking everyone in real time. As one expert put it:

“The key to defeating terrorists is the ability to digitize absolutely everyone and place them on our digital battlefield. By identifying and tracking every person in real time, we can immediately detect suspicious activity. If someone isn’t digitized, they’re a potential terrorist. We can digitize the population by embedding RFID tags in documents, driver’s licenses, library cards, corporate IDs, passports, visas, license plates, and so on. Once the population is fully digitized, we’ll know who owns what. By processing all this data, we can detect suspicious activity. We can track people inside vehicles using RFID triangulation (for example, with scanners in streetlights). All vehicles moving between cities should have RFID tags (on licenses, documents). When these vehicles approach a scanner embedded in the road, we can identify both the car and its current driver. This way, we can effectively detect suspicious activity.”
— Counterinsurgency Airpower // Air & Space Power Journal, 2006

9. The Secret Life of Your SIM Card

Your SIM card is a mysterious little computer in your pocket, beyond your control. It can do much more than just authorize your phone. Simple apps can be loaded and run directly on the SIM—separately from the phone, regardless of its operating system. These apps can:

  • Visit URLs
  • Send SMS messages
  • Initiate and receive calls
  • Connect to and use information services
  • Run AT commands on the phone

Apps can be silently loaded onto the SIM via remote data transfer. Updates can be pushed by your mobile operator—or by an attacker impersonating the operator (using an IMSI-catcher, for example). Detailed instructions are publicly available.

10. Mobile Trojans: Old Tech Still Going Strong

New technologies are spreading worldwide, but classic malware is still a threat. Dozens of spyware programs can be remotely installed on a phone in “stealth mode” and spy on the owner without revealing themselves. It was once believed that good “cyber hygiene” could protect you, but today, even cautious users with the latest security updates can fall victim to mobile espionage.

Some spyware can be detected with modern security tools, but keeping these tools up to date and properly configured is increasingly difficult, while attacks are getting easier. This is partly because the latest information technologies are now openly available, increasing the risk that impulsive, unpredictable individuals will use high-tech “toys” for malicious purposes.

Some believe that the much-publicized leaks of CIA hacking tools weren’t really whistleblowing, but a controlled leak to mislead competitors into investing in obsolete tools. Cyber and info-centric wars are no longer the key; today, knowledge-centric wars rule, where “people are broken by professionals, not machines.”

As a result, we’re seeing an exponential asymmetry in cybersecurity: attackers have the upper hand. Mobile threats are growing by 42% annually. Here are some examples of spyware marketed as legitimate “parental control” systems, all of which hide their actions from the phone’s owner:

  • Neo-Call Spy: Originally for Symbian, now works on iPhone, BlackBerry, Android, and Windows Phones. Sends information directly to another phone. Tracks SMS, call logs, location; remotely eavesdrops and logs keystrokes. Commands are received via hidden SMS messages.
  • Mspy: Works on smartphones and tablets. Monitors calls, SMS, emails, GPS location, browsing history, calendar, contacts, IM messages; manages apps, views media files, and offers remote control features like wiping the device. Uses a secure online account for data collection and reporting.
  • FlexiSpy: Initially classified as a mobile trojan, now marketed as legitimate. Offers about 130 features, including those of Mspy, plus unique ones like camera access and wallpaper viewing. Uses a secure online account for data collection and reporting.
  • Mobile Spy: Has most FlexiSpy features, plus app blocking, app installation, and real-time interaction with the phone’s UI control panel.
  • Higster Mobile: Easy-to-use monitoring app: texts, call recording, call logs—all sent to email, another phone, or a secure online account.
  • All-in-one Spy Software: High-quality phone spying software, in development since 2006.
  • Spyera: Installed on smartphones to monitor everything happening on the device. Secretly records all events (SMS, call history, contacts, location, emails, app messages, IM, Facebook chat, Skype, and more) and delivers the data to a secure web account.
  • SpyMaster: The most advanced mobile spying software. Fully hidden mode, claimed to be undetectable by its developers.

Editorial Note: Or, Instead of a Conclusion

The era of total digital surveillance is upon us, and it’s likely to fully arrive in this generation’s lifetime. It’s too late to fight it; perhaps only a healthy dose of indifference will help society cope (yes, by ignoring it). We already see examples of this attitude from both “watchers” and the “watched”:

  • “What photo, what video? We don’t know, we’re too lazy to check the cameras (they’re broken, nothing’s visible, they’re pointed the wrong way), and even if we look—how do we know who that face belongs to? Was it a thief or just someone passing by? We don’t know who robbed your apartment or stole your car, so… try somewhere else.”
  • “Nude photos leaked? No big deal, it’s good for your popularity.”

Leave a Reply