Schneier on Security

Roger • December 13, 2006 11:12 PM

A few thoughts:

0. Who will be using this?
Some of the comments on this thread seem to suggest that readers imagine lots of people wearing this device all the time. That is unlikely. It is intended to be used by joggers, whilst they jog, to help monitor one's training schedule. Conceivably it might also be used by people who want to monitor their walking (as a form of low impact exercise), but other devices for that already exist [1]. Whilst not enormously expensive, the price of the full kit (US $30 for the accelerometer/transmitter, $100 - $300 for the Nike running shoes, iPod purchased separately) is enough that not many people will be getting it unless they are significantly interested in tracking their training performance. Even among serious runners, third party hacks are already being sold to help fit it to your existing shoes as the total price is seen as a bit high for entry level users (and Nike is not actually a very popular brand with serious runners). Needless to say, joggers don't generally wear their expensive running shoes when not actually jogging. Even if they do so, the instruction manual specifically recommends removing the device and turning it off when not working out, so as to save the nonreplaceable, nonrechargeable battery [2]. (Yes, it does have an "off" button, and does not transmit at all when off.)

So 95% of the time, this will be used by moderately serious joggers, only whilst jogging.

1. Do people care about security?
My significant other purchased one of these recently. Generally speaking she has no interest in information security issues, and little exposure to the topic before meeting me. what exposure she has had since meeting me, she has found generally boring and somewhat paranoid. Nevertheless, when she was thinking of buying one she asked me what would be the maximum range at which the signal could be received. (I guesstimated 40 feet, which seems to be in the ballpark.) It turns out that she was doing her own informal security analysis, and frankly her reasoning and conclusion (that it's no big deal) were right on the ball.

I don't think it's true that "ordinary people" never consider security issues. They may not think of them as pervasively as us, and they may often miss the subtler implications, but they do think about it. In cases like this, the reason they often come up with different evaluations is simply less exacting standards. We can imagine scenarios where this device would be a severe security flaw. For example, if an undercover cop was using his morning jog to meet a narcotics informant, installing this device in his shoe could be disastrous. For a celebrity trying to exercise whilst incognito in a heavily trafficked public place, it could occasionally be a bit of a problem, although hardly a disaster. But for the average casual jogger, it really is no big deal.

2. Does it store/broadcast historical information?
No. The part that goes inside (or more usually, on) the shoe just sends instantaneous acceleration information. It has no memory, apart from its ID which is used to differentiate multiple devices in the same location. The "historical information" is stored on the iPod, then -- if you choose to do so -- uploaded to the website nikeplus.com. I have no idea of the security of the website side of things. However even that data isn't all that sensitive; it just stores your speed and distance. This distance does _not_ include endpoints or directions, and is only accurate to about ±2% (or as bad as ±10% if the user didn't bother to calibrate it). As such, it cannot readily be used to determine actual locations, just performance. I suppose that might be useful to a betting agent's spy in professional sports, but otherwise it is of little interest except to the jogger who produced it.

3. Security from stalkers.
It is actually fairly unlikely that people will be wearing these continuously. They are designed for use by joggers, whilst jogging. Joggers serious enough to shell out a couple of hundred dollars for training shoes and another $30 for the device, generally do not use their best training shoes for walking down to the shops. So what can the hypothetical stalker determine? If he already knows a jogging route with an accuracy of better than 20 metres, he can determine at what times the victim jogged along this route. Erm, so what? If he already knows the victim's habits well enough to locate a route with this accuracy, then he can probably also deduce the routine with sufficient accuracy (plus or minus an hour or so) to lie in wait. In fact, for most joggers I know well (about 5), the routine is much more regular than the routes, which change as often as daily. Routes vary for variety, for training reasons (e.g. schedule requires a 5% increment per week, which requires a totally different choice of routes if you want to start and finish at your front door), and for personal security. Yes, security; of two female and three male joggers I know really well, at least one female and two males already vary their routes semi-randomly when not jogging with a partner. It is actually quite common advice.

Saponas et al. also suggest that a "jealous boyfriend" would be able to obtain the UID of another kit which regularly jogged with his girlfriend. Maybe, but once again, so what? If a jogger jogs with one or more regular partners, that partner selection is most probably made on the basis of being free at similar hours of the day, and having similar splits (and the difficulty of finding such a partner is the reason most joggers run solo most of the time). That's all. If running splits make your eyes glaze over, the information that UID D853E12F has similar splits to your girlfriend is probably not of very much interest. Now, if the jealous boyfriend actually planted himself on the known route at about the known time, he would actually see who UID D853E12F is. That might be a much bigger deal. But he can do that even if the iPod sports kit had never been invented.

Even if a person does wear the transmitter continuously, a vast number of bugs would be required to obtain any useful information, unless the stalker already knows the victim's habits intimately -- in which case, the surveillance is largely pointless. For perspective, I did some BotE calculations on how much it would cost to completely monitor all my local routes and amenities in order to determine my habits -- assuming I had an iPod sports kit, and wore it at all times, which has near zero probability. With a 20 m radius outdoors, and $250 lowest cost per monitor, it comes in to around a quarter of million bucks to spy on me in just my local neighbourhood. If you spent all that money on sensors instead of PIs with a discreet car, it's wasted as soon as I get in a vehicle and head out of the neighbourhood. Which segues nicely into the next point:

4. Pervasive readers/tracking networks.
Casual readers seem to have gotten the impression that this device is an RFID device which will be readable by standard RFID portals in shops. This is completely wrong; apart from using EM waves to communicate, it has nothing whatever to do with RFID. It is a sensor plus microcontroller transmitting over a proprietary wireless link at 2.4 GHz. Saponas et al. speculate that the protocol is ANT, although they do not actually determine this (all their experimental devices contain actual iPod receivers to handle the wireless side of things.) ANT is a physical layer protocol with hundreds of channels, and is little used outside of sports equipment applications requiring ultra-low power consumption. The higher protocol layers on top of it are all proprietary, with every brand of sports device employing it using their own customised system. Developing a pervasive network monitoring all channels on this protocol would be technically possible, but incredibly expensive and largely pointless. It simply isn't going to occur on a wide scale unless someone comes up with a persuasive business model that will make money to pay for the millions of receivers required. And tracking random joggers sure as heck isn't that application.

5. Binding customer identity to UID:
Saponas et al. suggest that one malicious application might be to bind a customer's real world identity (e.g. through credit card history) with the UID of the iPod sports kit. Erm, how, exactly? Their existing solution only tells you that the chip with that UID is somewhere within a 60 foot radius, not that it is on the feet of the guy who just made a purchase. I can see a few ways to solve it, but unless you have a really large shop with really large turnover (in which case, you will soon be out of business), they are all complicated, expensive and error prone. And once again, what would they actually achieve? You already have this massive, dangerous penetration of privacy from the use of credit cards -- something that really is worth worrying about -- and to that, the shoes add the ability to detect when the guy enters or passes your store (but not which of several customers he may be), IF and only if he wears the same shoes. Pfft. What a lot of rubbish.

6. Mugging: the real issue.
It is quite true that on the streets, using an iPod or similar device is dangerous to the point of foolishness. You are much more likely to be involved in an accident, and much more likely to be mugged. I got flamed last time I mentioned this, so let me make clear: I am not blaming the victims for getting mugged. The blame rests on the mugger for attacking them. But the victim greatly increased his or her risk by using the iPod.

The reason has absolutely nothing to do with the sports kit. It is for two reasons: firstly, iPods are visible, highly tempting targets, with high black market resale values. This has a particular severe effect on jogger safety, since joggers otherwise carry nothing of any appreciable resale value (the shoes might be expensive, but they don't retain value very well!) Secondly, listening to loud music while walking or jogging along the street shuts down your body's 360° alert system: hearing. With your iPod on, you will not be aware of threats unless they are within your line of sight. So I strongly caution people not to jog with an iPod unless they can do so in an area that is both reasonably secure and off limits to vehicular traffic.

Now, Saponas et al. suggest that the sports kit will actually increase this risk. Their argument is that even if the iPod itself is concealed (by wearing generic headphones), a mugger can detect the transmitter and deduce that an iPod may be present. There is some rather curious logic in this argument. In all of their previous examples, it was taken as granted that the sports kit transmitter will be present and transmitting at all times, even if the iPod is not present. Now instead its transmissions are being taken as proof that an iPod _is_ present. In fact, the hypothetical mugger is now carrying around an expensive an elaborate device -- a device which a police officer might well find suspicious -- on the grounds that detecting a sensor chip will be a more reliable indicator of the presence of an iPod than simply guessing that black earphones might be camouflage. Well, maybe. I, for one, will continue to simply eschew iPods altogether when jogging on the street.

7. "Man down" alarms for high risk personnel:
Man down alarms for high risk personnel already exist. They are mainly used by firefighters, but sometimes also by police officers and prison officers. This device does not add anything to that equation, because it measures acceleration of the feet, which is not necessarily related to being knocked down. Existing alarms use a tilt switch mounted on the hip or upper thigh. It alarms if the body goes horizontal for more than a couple of seconds, or stops moving altogether for a longer period. While either can generate false alarms (which are dealt with by a radio call, "Patrolman Smith, are you OK?"), the foot mounted accelerometer would seem to be worse rather than better. Although, an acceleromter mounted on the head might be a useful adjunct; if one's head goes into freefall for >1/2 second, something is probably wrong.

____
Foornotes:
1. Actually, other devices which do everything the iPod sports kit does, and more (i.e. monitor heart rate and blood pressure) have already been available to serious runners and power walkers for years. However standard pedometers only give reasonably accurate results when walking, not when running, so to monitor distance performance when running, GPS based devices have been used. These are far more expensive than the iPod sports kit.
2. The laymen's summary of this research paper, at
http://www.cs.washington.edu/research/systems/...
contains the quote that ``The sensor has an "on-off" button, but the Nike+iPod Sport Kit online documentation says that "[m]ost Nike+iPod runners and walkers can just drop the sensor in their Nike+ shoes and forget about it," and we believe this to be the common case in practice.'' This is actually not from the online documentation, but from a FAQ, and is answering a question about battery life. I am unable to find this phrase anywhere in the actual online documentation, which is available at
http://manuals.info.apple.com/en/...
(4.7 MB PDF) and gives quite the opposite advice. It in fact says ``You can leave the sensor in your shoe when you aren't working out, but if you plan to wear your shoes for a long time without working out, we recommend replacing the sensor with the foam insert to save battery life.'' The battery is only good for 1,000 hours, and can neither be replaced nor recharged, so any active person who left it on all the time would find themselves having to completely replace the transmitter every couple of months. (A sedentary person need not worrry, as it has a power save mode when motionless for extended periods; however a sedentary person is hardly likely to want one in the first place.)