Apple and Nike may be top consumer brands, but you can't say they never put a foot wrong. The companies thought highly of their alliance to make running shoes report on exercise parameters via an iPod; after all, it neatly targets their preferred demographic. And if you can prevent the shoe-mounted sensor from catching fire mid-stride, what could possibly go wrong?
The answer, as both companies now realise, is privacy. Surreal as it may seem, security researchers have found a way to make the system tell tales on its users. Because the radio link between shoe and iPod isn't encrypted and contains a unique identifier, a determined snooper can automatically track their athletic prey — even plotting their course on Google Maps. The most intriguing and worrying aspect of it wasn't that it's possible to just do it, but that it can be done for a few pounds and with middling amounts of IT skills.
We doubt very much that anyone will suffer as a result of using this system, apart from the ever-present danger of ridicule due to conspicuous brand addiction. The message to Apple and Nike, though, is one that all companies should get: any product or service that stores or communicates personal data is a security risk. At some point during the development cycle, it should be looked at in that light. Even if the risk is considered too light to be worth fixing, the company should be aware of what could happen.
The warning comes at an apt time. As it becomes easier and cheaper to put intelligence and communication into ordinary objects, they'll join the connected world with all its penchant for convenience and unforeseen consequences. We expect safety standards to protect us with a device's physical and electrical characteristics. There is no safety standard for devices that says no communication can be intercepted nor personal information extracted. There should be: one day, there will be.
For now, individual companies must bear the responsibility for specifying and following their own best practice in this field. Apple and Nike were lucky: the solution to their problems is a little more design, and the worst they've suffered is a bit of embarrassment and some free publicity. That may not be the case next time some heel decides to snitch.
Talkback
Ok, I NEVER respond this these things but this was so absurd I had to wite. This entire article and the researcher's premise was total junk science. I'm not even sure the writer here even read the orgional story.
But let me review, you need to be within the transmit distance about 30 feet. The idea that this transmits an ID is no different than your bluetooth headset, your cellphone, or just about any other wireless device. That's how they communicate ya know.
The way this is written you would think there was a way to track someone, and as you say, plot it on a google map. Well sure you can! AS long as you followed them around all day and took note of where you where in a spreadsheet or something! Seriously this is just crazy! If you have to be within 30 feet anyway what's the point yea know? Now you could set up some sniffers all over the city in a 30x30 foot grid and I suppose attach them to a cellular device to somehow signal you but...um...I think that would be pretty expensive and you would have a lot of unhappy home owners wondering what these things are stuck all over town.
I also loved the fear factor of "The message to Apple and Nike, though, is...any product or service that stores or communicates personal data is a security risk."
What personal data!?!?! Since when is a device ID personal data? Not only that, but since the researchers premise was that someone slipped one of these in your bag without you knowing, the ID is hardly personal,they already have that!
Since you can also do this with a car, remember cars have VIN numbers, and you can see it plain as day inside the window, and given you can you follow a person in their car, which also has about an even greater distance than 30 feet, it too is a hazard. Oh, wait...we have huge plates on our cars! Damn!
hey...slow news day...two week old story....enough said.
There are lots of ways that this information could be used, though, and most of them would have been prevented by some reasonably simply precautions. The pattern of usage is different from Bluetooth, too; I could improvise an explosive device that was left in the bushes for days until the right person jogged past, which I couldn't do with BT or other radio systems.
Is that likely? I don't think so. But unless companies start thinking defensively when inventing embedded systems with communications, there will be unnecessary vulnerabilities introduced.
As the leader said, there will be plenty of occasions when a risk analysis will dictate that the simplest solution is fine. The important thing isn't to make the streets safe for radioactive joggers - a species I feel ripe for culling in any case - it's to get the industry thinking about security all the way through a design.
Who cares about details when it makes such a good story without them! Ugh....watch out the black helicopters are following your ipod!