A shoe that clocks your mileage for you and talks to your iPod may seem like a great idea, but users of the popular Nike+iPod could be surprised to learn that their digital music player is broadcasting sensitive information about them, such as where they are and where they’ve been.
The Nike+iPod stores and plays digital music files; more than 450,000 units have been sold since its August 2006 release. A chip that joggers slip into their shoe works as a pedometer, measuring speed and distance. The Nike+iPod also comes with a receiver that fits into an iPod Nano device and stores information that has been transferred wirelessly from the shoe. Runners who use the device can listen to tunes on their iPods while they jog, and then upload the data from their shoe sensors onto their computers in order to measure their distance, speed, and calories burned.
Fun gift? Not so fast. According to Tadayoshi Kohno, Scott Saponas, Jonathan Lester, and Carl Hartung of the University of Washington, the shoe sensor in the device emits a signal that can be easily detected by other iPods that have been only slightly modified. Using easily obtained and inexpensive tools, the researchers assembled several homemade devices and were able to pick up the sensor’s unique signature.
“Scott and I were talking one day about possible research projects for my fall graduate computer security course,” recalls Kohno. “We both shared a common interest in the security and privacy of medical and health-care devices, and he observed that the new Nike+iPod Sport Kit is probably the first and most prominent example of the next generation of personal, ubiquitous electronic health-care accessories. The next morning I brought a stack of Nike+iPod Sport Kits to the lab for Scott, Jonathan, and Carl to study. By 2 p.m. that day, Scott e-mailed me with some new discoveries. He found that the serial numbers of the sensors are stored on the iPod Nano’s hard disk in plain text (i.e., unencrypted and readable by anyone). He also discovered that, if a sensor is being used by one Nano during a workout, another Nano can still detect the sensor and get its serial number. I think that was a Eureka moment for all of us. In less than a day Scott discovered that the Nike+iPod Sport Kit could be used as a tracking device. All we had to do was make it cheaper and easier to do so.”
According to the team, potential stalkers could create their own Nike+iPod detector easily and then learn the unique signature of their target’s iPod simply by walking their intended victim to his or her car. One of the team’s inventions connects a receiver from the Nike+iPod kit to a laptop’s serial port. The screen displays all of the other Nike+iPods in range, making it possible for a stalker to track several people at once using GoogleMaps. This could allow someone like a professional thief, mugger, or predator to observe a large group of people and select a target among them based on such criteria as how late the person worked, when he or she left the house, where the person went, etc. An assailant could even modify the system to send out an e-mail or text message when something significant was about to occur with one of the surveillance subjects.
To address these issues, the team recommends that owners of the Nike+iPod turn off their gadgets when not using them. They’ve also recommended that both Nike and iPod take steps to correct the problem. Finally, Kohno suggests that consumers exercise caution when buying trendy gadgets that may compromise privacy.
“There is a constant tussle between the lures of new technologies and privacy,” says Kohno. “As our study shows, the privacy issues with new technologies may not be immediately apparent. But our study also shows that it is technically possible to significantly improve the privacypreserving properties of some of these new technologies. People should therefore remain vigilant, not in spite of but rather because of the fact that many of these new devices can compromise privacy in unexpected ways.” -Patrick Tucker
Originally published in THE FUTURIST, May-June 2007