"Devices That Tell On You: The Nike+iPod Sport Kit
T. Scott Saponas, Jonathan Lester, Carl Hartung, Tadayoshi Kohno Department of Computer Science and Engineering University of Washington, Seattle, WA, 98195 http://www.cs.washington.edu/research/systems/privacy.html November 30, 2006
ABSTRACT
Personal sensing devices are becoming more commonplace in everyday life. Unfortunately, radio transmissions from these devices can create unexpected privacy concerns if not carefully designed. We demonstrate these issues with a widely-available commercial product, the Nike+iPod Sport Kit, which contains a sensor that users put in one of their shoes and a receiver that users attach to their iPod Nanos. We find and technically explore example scenarios, such as stalking, where the Nike+iPod Sport Kit’s design can lead to a compromise of personal privacy and safety. Our results exploit the fact that, when a Nike+iPod user walks or runs, the user’s Nike+iPod sensor broadcasts a unique identifier that can be detected up to 60 feet away. We implement a prototype surveillance system that can track people wearing Nike+iPod sensors, plotting their location on a GoogleMaps-based website and emailing and text-messaging real-time surveillance data to an attacker. Our surveillance system can track individuals when they are working out, as well as when they are casually walking and do not have their iPods with them. The smallest node in our real-time surveillance system is currently a miniature gumstix computer (8cm x 2.1cm x 1.3cm). We also develop a method to convert a third-generation iPod into a surveillance device. Using a second-generation Intel Mote and a Microsoft SPOT Watch, we develop the means for an attacker to obtain real-time surveillance data on his or her wrist watch. To counterbalance our attacks, we present simple changes to the Nike+iPod Sport Kit’s design that, if implemented, would have significantly improved the kit’s resistance to the attacks in this paper. This work suggests a greater need for rigorously evaluating the privacy of new technologies before deployment.
a person, Alice, can place in her shoe and a receiver which Alice can attach to her iPod Nano; see Figures 1 and 2. When Alice walks or runs, the sensor in her shoe senses information about Alice’s movement and wirelessly transmits this information to the iPod Nano through the receiver. The iPod can then provide Alice with audio feedback about her workout, such as the total distance traveled or calories burned. Although the sensor has an on-off button, the Nike+iPod Sport Kit online documentation [26] recommends that most users should leave their sensors in the on position, and we believe this to be the common case in practice.1 Similarly, the fourth heading in the same online documentation [26] implies that Apple is concerned about trackability issues; however, we find that their design allows for tracking users via their sensors.2 We stress, however, that there is no evidence that Apple or Nike intended for these devices to be used in any malicious manner. Additionally, neither Apple nor Nike endorsed this study. Privacy, Personal Safety, and the Nike+iPod Sport Kit. Despite broad public awareness of the potential privacy risks associated with pre-existing technologies, like concerns over RFID tags in Gillette razors [24] and library books [25], and despite Apple’s apparent awareness that trackability can be undesirable, we find that in the common case the Nike+iPod Sport Kit still fails to offer even the most basic level of user privacy to nearby devices: a Nike+iPod sensor is an active device that continuously broadcasts a unique identifier when a user is walking or running, even when the user’s iPod is not nearby. Moreover, our results show that, compared to some conventional passive RFIDs, the Nike+iPod Sport Kit significantly lowers the bar for an adversary since (1) the receive range for Nike+iPod sensors is greater than the read range for certain classes of conventional passive RFIDs and (2) it is easy and cheap for an attacker to implement some of our attacks — for example, we show how an attacker could use a third-generation iPod together with a Nike+iPod receiver as a surveillance device.
1.
INTRODUCTION
As technology continues to advance, more and more computers will permeate our everyday lives; while the last computer revolution placed a single computer in front of a vast majority of our population, the next revolution is poised to place many computers into our environment and onto us. While the many-to-one computational revolution will have many positive aspects, our individual privacy is increasingly endangered by this advancing wave of technological gadgetry. We study one of the latest such consumer gadgets: the Nike+iPod Sport Kit from Apple Computer, Inc. Contained within the $29 (USD) kit are two modules: a sensor that
1 The exact quotation from [26] is, “Most Nike+iPod runners and walkers can just drop the sensor in their Nike+ shoes and forget about it.” 2 To provide the precise quotation, the fourth heading in [26] reads “Does it [the Nike+iPod Sport Kit] use GPS and does this mean you can track my movements?” The stated answer to this question is a single word, “No.”
�To make this discussion more concrete, we next consider some example scenarios in which an adversary might exploit the Nike+iPod design for nefarious purposes. These examples show that a failure to provide adequate privacy can lead to a compromise of consumers’ personal safety. We defer further details to the body of this paper. Stalking. A malicious person could exploit the Nike+iPod’s design and the sensor’s wide broadcast radius for stalking purposes. In our first example scenario, Alice is a college student who regularly wears her Nike+ shoes while walking between home, class, the library, the student union, the gym, and her friends’ homes. Her ex-boyfriend, Marvin, is unable to come to terms with their separation and still wishes to have some interaction with her. If Marvin places specially-crafted devices (a.k.a. nodes or Nike+iPod detectors) by each of the above-mentioned locations, then he can remotely detect exactly when Alice enters and leaves a particular location (by detecting the unique identifier associated with Alice’s Nike+iPod sensor). Not only is simply collecting this information a potential violation of Alice’s privacy, but this information could also enable Marvin to perform some malicious action. At a minimum, Marvin could somehow “accidentally” find himself bumping into Alice at “random” places, as if by coincidence. Prototype Surveillance System. We implemented a prototype surveillance system, much like the one Marvin would deploy in the above scenario. Our surveillance system consists of multiple Nike+iPod detector nodes (e.g., a $109 gumstix with an attached $79 wifistix and a Nike+iPod receiver). When a node detects a broadcasting Nike+iPod sensor, the node knows that the sensor is nearby. The node then sends a message using WiFi to a central database; the message contains the location of the node (latitude and longitude), the four-byte unique identifier for the Nike+iPod sensor, and the time the sensor was detected. The central database aggregates all the data from all the nodes and publishes a GoogleMaps overlay showing the locations at which Nike+iPod sensors were recently detected. By looking at this website, Marvin can learn if Alice is near the library, the gym, and so on. Extensions and Variations. There are several natural extensions to the above scenario. For example, we implemented an extension allowing Marvin to have the system send him SMS messages or emails when Alice changes her location, thereby providing Marvin with a continuous update of Alice’s location. Marvin could also correlate Alice’s location information with the location information of others; thereby possibly inferring information about Alice’s new boyfriend or other associates. In the case where Alice doesn’t own a Nike+iPod kit, Marvin could maliciously implant a sensor in one of Alice’s shoes, thereby enabling the above attacks. Other malicious parties could also use the above system to track large populations of individuals simultaneously. They could look for commuting and socializing habits and single out a particular victim based on his or her profile, e.g., by finding the lone jogger who likes to run at 4am, along with his or her running route. Alternatively, after the stalker
Figure 1: An un-opened Nike+iPod Sport Kit.
Figure 2: A Nike+iPod sensor in a Nike+ shoe and a Nike+iPod receiver connected to an iPod Nano. physically observes and selects a victim, the stalker could access the database of stored logs and immediately know significantly more information about this particular victim’s habits, and perhaps even predict where this victim will be in the next hour and intercept him or her there. We consider additional scenarios and attack variants in the body of this paper. Our tools. Toward exploring the potential privacy implications of the Nike+iPod Sport Kit, we developed the following set of attack tools: • We developed an iPod dock serial-to-USB adaptor, which allows us to plug a Nike+iPod receiver into any device with a USB port. • We developed a Nike+iPod Serial Communication Tool for Windows XP machines. This tool can collect and visually display data about nearby Nike+iPod sensors, and can feed data in real-time to a back-end SQL server as part of a larger surveillance system. • We created a small Nike+iPod detector (8cm x 2.1cm x 1.3cm) from a $109 gumstix connex 200xm, a $79 wifistix, a $27.50 gumstix breakout board, a $2.95 female iPod dock connector, and a $29 Nike+iPod receiver. This Nike+iPod detector can log data internally and can wirelessly feed data in real-time to a back-end server as part of a larger surveillance system. Without the wifistix, our gumstix Nike+iPod detector can still collect data for offline post-processing.
�If others were to make our software (or the equivalent) available on the Internet, then it would require only minimal technical sophistication — the ability to follow online instructions for installing software onto the gumstix and some soldering — for an attacker to create his or her own gumstix-based Nike+iPod detector. • We created a second small Nike+iPod detector module (5cm x 3.8cm x 2.5cm) using a second-generation Intel Mote (iMote2) running Linux. Our iMote2 module can wirelessly communicate information about nearby Nike+iPod sensors to a paired Microsoft SPOT Watch using bluetooth. An adversary could hide the iMote2 in his or her pocket and observe real-time surveillance data on his or her wrist watch. The iMote2 could also be hidden in an environment and passively record surveillance information for subsequent offline analysis. For example, the iMote2 could be hidden in the bushes near a popular running trail, behind a library book, or inside a restroom paper towel dispenser. • We also converted a used, third-generation iPod into a Nike+iPod surveillance device. Such iPods are often available on eBay for approximately $100. As with our gumstix-based Nike+iPod detector, creating a third-generation iPod-based surveillance device only requires marginal technical sophistication: an adversary would purchase a Nike+iPod Sport Kit and a few additional parts, would perform a minimal amount of soldering, and would download and install some software that others could make available on the Internet. The converted iPod could serve as a node in some larger surveillance system. Although the iPod’s data would not be available to the larger surveillance system in real-time, an adversary could still view realtime surveillance data on the iPod’s screen. • As noted above, we implemented a prototype surveillance system capable of incorporating data from multiple Nike+iPod detectors. The surveillance system can either display a map of real-time Nike+iPod sensor locations, or a historical view of the map. The system can send emails or SMS text messages containing real-time surveillance information. In real-time mode, the current data sources can be Windows XP machines and gumstixs. In historical mode, the current data sources can be Windows XP machines, gumstixs, iMote2s, and third-generation iPods. We stress that we did not implement our prototype attack systems in order to aid potential stalkers or other adversaries, and we do not plan to distribute our software. Rather, we implemented our systems in order to better understand the capabilities of an attacker and to demonstrate that the attack scenarios that we describe are of practical concern. While we have used our tools to track ourselves and consenting colleagues, in order to respect the privacy of others, we did not actually deploy our systems to track unsuspecting individuals. Consequently, we do not present the results of a full distributed surveillance experiment in this paper.
Alternate Designs. We consider alternatives to the existing Nike+iPod design that, if implemented, would have significantly improved the privacy-preserving properties of the Nike+iPod kit. While our design alternatives are more privacy-preserving than the current Nike+iPod design, we acknowledge that implementing our alternatives may affect battery life, manufacturing cost, and usability under some circumstances. Discussion. While the central focus of this study is on understanding, exploiting, and improving the design of the Nike+iPod Sport Kit, the implications of this work are much broader. Namely, while trackability based on personal devices is not new — indeed, it is well-known that the possession of traditional passive RFIDs, discoverable bluetooth devices, and WiFi devices can enable tracking by third parties — the key contribution here is showing that new devices are still being introduced without strong privacy-preserving mechanisms. Our hope is that this work will further motivate industry members and the computer science research community to work together to better understand and address the full privacy implications of future devices, as well as to work towards retroactively improving the privacy of existing technologies. Overview. Section 2 discusses our initial technical exploration into the design of the Nike+iPod system. Next, Section 3 discusses our experiments measuring the various characteristics of the Nike+iPod sensors. We then describe how we instrumented tools for creating surveillance systems using the Nike+iPod receiver in Section 4. Section 5 gives example scenarios where attackers could use these system to stalk victims, and we discuss the implications of our work in Section 6. Section 7 discusses related work. Finally, Section 8 concludes the paper.
2. DISCOVERING THE NIKE + IPOD PROTOCOL
The Nike+iPod Sport Kit. The Nike+iPod Sport Kit allows runners and walkers to hear real time workout progress reports on their iPod Nanos and to view their workouts online at http://www.nike.com/nikeplus/. A typical user would purchase an iPod Nano, a Nike+iPod Sport Kit, and either a pair of Nike+ shoes or a special pouch to attach to non-Nike+ shoes. The Nike+iPod kit costs $29 and consists of a receiver and a sensor ; see Figure 1. Users place the sensor from the kit in their left Nike+ shoes and attach the receiver to their iPod Nanos as shown in Figure 2. The sensor is a 3.5cm x 2.5cm x 0.75cm plastic encased device, and the receiver is a 2.5cm x 2cm x 0.5cm plastic encased device. When a person runs or walks the sensor begins to broadcasts sensor data via a radio transmitter whether or not an iPod Nano is present. When the person stops running or walking for ten seconds, the sensor goes to sleep. When the iPod Nano is in workout mode and the receiver’s radio receives sensor data from the sensor, the receiver will relay (a function of) that data to the iPod Nano, which will then give feedback to the person on his or her workout.
�Figure 4: A Nike+iPod receiver fully removed from its protective case. The blue wire is attached to the iTXD pin, the green wire to the iRXD pin, and the black wire is attached to ground. Figure 3: A broken-open Nike+iPod receiver. sor and a receiver. Having made this observation, we then commenced to uncover more details about the Nike+iPod protocol. The Hardware. The Nike+iPod Sport Kit receiver communicates with the iPod Nano through the standard iPod connector. Examining which pins are present on the receiver’s connector and comparing those pins with online third-party pin documentation [17], we determined communication was most likely being done over a serial connection. Opening the white plastic case of the receiver reveals a component board and the pin connections to the iPod connector. There are ten pins in use; three of these pins are used in serial communication: ground, iPod transmit (iTXD), and iPod receive (iRXD); see Figures 3 and 4. We verified that digital data was being sent across this serial connection by connecting an oscilloscope over the iRXD and ground while the open receiver was connected to the iPod. This also allowed us to measure the bit width and establish that the serial connection was using the data rate of 57.6 Kbps. We then soldered wires onto the ground, iTXD, and iRXD pins and connected them to the serial port of our computer. With the receiver connected to the iPod we turned on the iPod and saw data sent in both directions over the serial connection. In the data transmitted by the iPod, the serial number of the iPod is sent in ASCII. Similarly, in the data transmitted by the receiver, the receiver’s serial number and the serial number of the last sensor that was used in a workout with the receiver is sent in ASCII. Serial Communications. As noted above, before the receiver can be used with a new sensor, the sensor must be linked with the receiver. This is initiated by the user through menus in the iPod interface. The user is asked to walk around so that the sensor can be detected by the receiver. When the link process is started, the iPod sends some data to the receiver. Then, the receiver begins sending data until the new sensor is discovered and linked by the receiver. Finally, the iPod sends some more data back to the receiver. In this last chunk of data from the iPod, the serial number of the new sensor is sent in ASCII. A transcript of the communications is show in Figure 5.
The iPod software offers a variety of workout modes: Basic, Time, Distance, and Calories. The Basic mode allows one to select music to listen to during a workout and monitors distance, running pace, and calories burned. At anytime during the workout, the user may press the center button of the iPod and spoken feedback over the headphones announces how much time has elapsed since beginning the workout, the distance run so far, and the current pace (in terms of minutes per mile or km). The Time, Distance, and Calories modes are similar to the Basic mode, except they allow the user to set a target workout duration, distance to run, or calories to burn, respectively. At the conclusion of a workout users sync their iPod with iTunes and the workout information is sent to NikePlus.com. The NikePlus web site gives users several visualizations of their workouts, the ability to challenge others to workout competitions, as well as a forum for discussing running. Initial Analysis. Our first goal was to learn how the Nike+iPod sensor communicates with the receiver. According to the Nike+iPod documentation, a sensor and receiver need to be linked together before use; this linking process involves user participation. Once linked, the receiver will only report data from that specific sensor, eliminating readings from other users’ sensors. The receiver can also remember the last sensor to which it was linked so that users do not need to perform the lin..."
|
You need to upgrade your Flash Player , or try to enable javascript in order see this document properly.
|
|
Comments
