Strata NYC 2015 What does your smart device know about you?

What does your Smart
Device know about
you?
Charles S. Givre
Über Nerd
Booz | Allen | Hamilton
givre_charles@bah.com

Who am I?Charles Givre @cgivre
givre_charles@bah.com

Stuff my Company Wants me to Say
§ The techniques I demonstrated here are the results of my own research. I have no
knowledge of anyone using or not using the techniques demonstrated here.
§ The data I gathered all belongs to me and was gathered from devices that I own.
Please remember that unauthorized access to someone else’s computer or network
IS A CRIME.
§ The views presented here represent only my own and not those of my company or
anyone else.
§ I have no financial interest in any of the products you are seeing here, nor do I have
any connection with their parent companies, aside from having purchased their
products.
§ Always drink upstream from the herd. (Just seeing if you are actually reading this)

The Experiment
§ Using data collected from “smart”
devices, see what could be learned
about the owner.
§ I start out knowing only that the
target owns a Wink hub.
§ I limit the data to that which can be
gathered via automated means.

Conclusions
“Smart” devices collect and broadcast a lot of
information beyond what you might expect. In
aggregate, this information can reveal a great deal
about the device’s owner.

Conclusions
The devices typically do not store the data locally, but
rather on a remote (cloud) servers.

Conclusions
To facilitate interoperability, most of these devices make
portions of their data available via an API.

Conclusions
Access to this data is typically protected by your
email address and a password.

[{
"linked_service_id": "aad234fce-oanqtqi1",
"service": "facebook",
"account": "XXXXXXXX",
}, {
"linked_service_id": "bbe345edd-q2it1ahnh",
"service": "twitter",
"account": "cgivre",
}]

What we’ve learned from the Wink Hub:
§ The target’s FacebookID and Twitter handle

[device_manufacturer] => quirky_ge
[model_name] => Refuel
[upc_id] => 17
[upc_code] => 840410100866
[lat_lng] => Array
(
[0] => 39.374XXX
[1] => -76.706XXX
)
[location] => 21208
[mac_address] => 0c2a6907794b
[serial] => ACAB00015458
[tare] => 18
[tank_changed_at] => 1441593829
)

What we’ve learned from the Wink Hub:
§ The target’s FacebookID and Twitter handle
§ What other devices the target has:
§ Nest Thermostat
§ Nest Protect
§ Refuel Propane Tank Doodad
§ Ring Doorbell
§ Where the target lives (?)
§ When the target added these devices to the network

Network Information
{
"serial_number": "02AA01AC301302UB",
"scale": "F",
"location": "7d7c1d80-726b-11e3-b782-12313d224c5e",
"network": {
"online": false,
"last_connection": "2015-02-19 20:19:51",
"wan_ip": "98.233.236.XX",
"local_ip": "192.168.2.8",
"mac_address": "18b4300a269c"
},

Network Information
"wan_ip": "98.233.236.XX"
The following results may also be obtained via:
http://whois.arin.net/rest/nets;q=98.233.236.XX?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
Comcast Cable Communications, Inc. DC-CPE-31 (NET-98-233-0-0-1) 98.233.0.0 - 98.233.255.255
Comcast Cable Communications, Inc. JUMPSTART-5 (NET-98-192-0-0-1) 98.192.0.0 - 98.255.255.255

What we’ve learned from the Nest:
The target uses Comcast for their
internet service

Network Information
"wan_ip": "98.233.236.XX"
https://www.iplocation.net

What we learned so far from the Nest:
The target uses Comcast for their
internet service
The target lives in Pikesville, Maryland

{
"start": 55918,
"end": 55918,
"type": 0,
"touched_by": 6,
"touched_when": 1417520705,
"touched_timezone_offset": -18000,
"touched_where": 1,
"touched_id": "Charles's iPhone",
"heat_temp": 17.772,
"previous_type": 4,
"event_touched_by": 1,
"event_touched_where": 0
},

0
5.5
11
16.5
22
Wink Charles's iPhone Charles's iPad

What we learned so far from the Nest:
§ The target uses Comcast for their internet service
§ The target lives in Pikesville, Maryland
§ The target owns an iPhone, iPad and Wink hub

When are you home?
§ Away
§ Auto Away
§ Manual Away

When are you home?
date away auto_away manual_away
2015-05-06 16:05:01 FALSE FALSE FALSE

When are you home?
Start End Week Day Duration
2015-03-18 09:35:03 2015-03-18 19:10:01 Wed 09:34:58
2015-03-19 09:35:04 2015-03-19 23:55:01 Thu 14:19:57
2015-03-20 00:00:01 2015-03-20 13:55:01 Fri 13:55:00
2015-03-21 14:10:01 2015-03-21 15:20:02 Sat 01:10:01
2015-03-23 10:10:02 2015-03-23 14:45:03 Mon 04:35:01

When are you home?
Weekday Average Time Away
Fri 05:06:39
Mon 01:56:15
Sat 03:32:30
Thu 05:49:58
Tue 02:23:16
Wed 05:53:59

When are you home?
0
7.5
15
22.5
30
9 10 11 12 13 14 15 16
Monday Tuesday Friday

The Automatic Car Dongle
WTH does it do?

WTH does it do?
§ Puts your car’s data to work
§ Decodes check engine light
diagnostics
§ Improves driving with real-time
feedback
§ 24/7 Crash Response
§ See your driving in their dashboard

https://developer.automatic.com/api-reference
https://github.com/adamwulf/automatic-php-api

{
"url": "https://api.automatic.com/vehicle/XXXXXXXXX/",
"id": "XXXXXXXXXXX",
"vin": “JM1BL1SG9AXXXXX",
"make": "Mazda",
"model": "3",
"year": 2010,
"submodel": "Base",
"color": "#000000",
"display_name": “Mazda 3",
"created_at": "2015-03-15T14:15:32.588000Z",
"updated_at": "2015-03-15T14:15:32.588000Z",
"fuel_level_percent": 60.54
}

What we learned from the Automatic:
§ The target owns a 2010 Mazda 3 and a 2005
Honda Odyssey
§ Complete vehicle history (If you want to pay…)
§ Target removed a Hyundai Santa Fe in May and
replaced it with the Honda minivan.

Allows you to build a spreadsheet
of all your trips…automatically.

Also, IFTTT is only protected by
your username/password.

§ Trip Start/Stop
§ Coordinates
§ Paths
§ Duration
§ Vehicle Used

Calculate the target’s
pattern of life

Trips per day
Monday Tuesday Wednesday Thursday Friday Saturday Sunday
84
3
102
126
111110
98

What we learned from the Automatic:
§ The target owns a 2010 Mazda 3 and a 2005
Honda Odyssey
§ Complete vehicle history (If you want to pay…)
§ Target removed a Hyundai Santa Fe in May and
replaced it with the Honda minivan.
§ Target doesn’t roll on Saturdays…

}`joF`w}rMWK_@?s@?E{DnACj@Dt@VdAx@tAnA^PH`@A~@[nAKF|EJxIDfBJnAdApKZnFt@lULÈ?d@?
l@e@HKBo@TmKrDaCÀcBz@kDlBmCzAsBp@IGQB_AJwAHkBCyFc@SD]C_DEmHX{KVmECcJ?
eAH{@NmA{EhCmBv@w@ZeCbA_Bt@kCnA{Ah@oAJ_@ACtD@xDXbArAlBbA~B
zANrAHzBBz@Nt@FlJFbFNrEz@fLn@jFv@vEfAjFpBnHzHrXvAvGt@tEx@~G`@|
FjA`^b@vIdApLlA`JhAfGhBbInClJ~BpGhB|
DzBvDzD`FzEhFvBrBpA`BzAvBtAjCdAbCv@zB~CvKhBzF~@pBhAbBdAhArBvApDdBlLdFpQrHfFzBlCdA~Bn
@lARlBN`DDlBMhBU|IiB`J{AnFs@vGi@pEUnGWrVeAtLq@rb@iBrK_@dOi@zOc@bPEfP@ziA@pJCjLB`R?
vMIhPq@v^_CzqBth@cDbIo@~FgA~CcAtCoA|A{@zAcAtC_C`FqFlDqFbD{GÒcfFqL|CuGq@rAqBbAgAtB}
AbCiA|WcGzAc@xAm@`BaAlAaAfAiAnBoChJuQxBsEdLcV`X_k@`ByD|
M_[pFwLpBsFbB_HjImf@r@iEzBgKdBuGzByHtAwD|@_ChBuDjFcJp@_AfEuFnCsCbPsPpDuDrLgMjEkE|
CcDzCuCfBqArC_BdB{@rC}
@bDs@fFk@pOyAxCg@jDkA~As@xBmAtIqFlEsC`PsJjEyBd@W`KkFx@c@H@H@PIvBcA|
@K^DdHrBÀZXRf@r@N^TR|@|DjBrHnDnO~Jva@lAhFxIt]z@pDjBtGvAvDzAjDdBdD|
EhH~HjLvFfIfErGbKbOpGnJnDlFf@v@bCnEp@~AjBlFnDpMdAzDlBbHtB`HpAjDbDnHnEzHÈnFfEtEdMzKnTl
R~gArÀ~h@zd@~H|GzHtHzK`Mxm@pq@dRpS|DfDzB`BhC`BfDhBdI`DrJfD|
KxDn@RJNHHtCjAjAd@n@`@jA~@~@hAjBjDb@vAH~AW~CcBrKcC|P[rBxDClDIr@DRJVXJ?J@VHR
PRGLOHm@EWj@Ib@e@zAqAh@Op@Cn@Nj@`@p@fEdI|B~EpAzB|@À@?~O|KfB|@jBRxA?|
Ac@xBQvB@nB`@jBlAbBxB~AÈz@zBzAgAlAeAn@cAM`@FNFMf@rB|@
Path

Path
https://developers.google.com/maps/documentation/utilities/polylineutility
Distances Latitude Longitude Duration
0.000000 39.37823 -76.67073 0.000000
0.008891 39.37835 -76.67067 0.016466
0.011058 39.37851 -76.67067 0.020478
0.017969 39.37877 -76.67067 0.033277
0.050259 39.37880 -76.66973 0.093073
0.027666 39.37840 -76.66971 0.051233
0.015289 39.37818 -76.66974 0.028313
0.019731 39.37791 -76.66986 0.036539
0.028725 39.37756 -76.67015 0.053195
0.036604 39.37713 -76.67055 0.067785

Privacy Policy Sample
§ “We will never sell or share your personally identifiable information, like name,
where you drive, or VIN.”
§ “We want you to get the most value out of your Automatic experience and may
present offers from trusted partners to provide a solution that we think would make
your car ownership or driving experience better. For example, we might partner with
a tire manufacturer that is willing to extend your tire warranty if you choose to share
your data related to tire wear. These opportunities will always be user “opt-in” only.”
§ “Our products and services (and our business) may change from time to time. As a
result, at times we may need to make changes to this Privacy Policy. We reserve
the right to update or modify this Privacy Policy at any time and from time to time
without prior notice. However, if we make any material changes we will notify you by
email or by a notice on our website. “

Consumers should be aware that “smart”
devices are being used to gather data
about their owners.
Awareness

Companies should craft understandable
data usage policies and EULAs.
Awareness

Data Ownership You own the data generated
Data Reuse Your data may be used with
personally identifying information
removed to derive aggregate
statistics about…
Data Removal You may request that your data be
removed from our system by emailing
XXX. It will be removed within 48
hours of receiving the request.
Data Resale Your data may be sold to …

Strata NYC 2015 What does your smart device know about you?

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Strata NYC 2015 What does your smart device know about you?

Ähnlich wie Strata NYC 2015 What does your smart device know about you? (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Strata NYC 2015 What does your smart device know about you?