informa
/
Vulnerabilities/Threats
News

Nike Bares Its Sole

New combination of running shoes with Apple iPod leaves joggers open to electronic surveillance

11:05 AM -- You've seen the new Nike commercials: A man is running. He's got his iPod on, but it's not just playing music; it's telling him how far he's been, and how far he has left to go. And if you've ever done any jogging, you know that good music and tracking your distance are the two most important things in the sport.

Pretty cool, huh? So how does it work? Some security researchers at the University of Washington wanted to know, too, so they got themselves some of the shoes -- and promptly hacked them. In fact, they invented a simple device that could allow any stalker to monitor the movement of any jogger who's wearing that keen new Nike product.

Chalk up another gaffe for product designers who fail to consider the security implications of what they're doing.

The Nike+iPod kit consists of a sensor placed in the sole of the left shoe and a receiver that plugs into the bottom of the iPod. The sensor detects your steps while walking or jogging, and transmits the information to the receiver via a wireless RFID signal. During the workout, the iPod can be set to tell the runner about his or her time, distance, pace, or calories burned.

Unfortunately, the researchers say, Nike and Apple chose not to encrypt the RFID signal, leaving it readable up to 60 feet away. The researchers created several simple devices that can intercept the signal, capture the runner's unique identifier, and track his or her movements. The hack is cheap -- a surveillance node costs about $250 to build -- and simple enough to be re-created by any high school student, the researchers say.

The researchers don't know whether Apple or Nike considered encrypting the signal or not. It's possible that the vulnerability was simply overlooked. But the researchers also note that such encryption would have had a negative impact on the sensor's battery life, as well as the cost of the product. So it's also possible that the technology's designers considered encryption, and then rejected the idea.

In either case, the flaw was a major oversight by two major companies that ought to have known better. Apple has spent the last few months arguing with hackers about other wireless vulnerabilities in its products -- you'd think the RFID issue would have crossed somebody's mind.

Just about anything that uses computer technology these days is subject to hacking. Go to any Black Hat conference and you'll see in-the-wild exploits that involve copiers, fax machines, even Coke machines or coffeemakers. Hackers know how to break into this stuff -- and if they don't, they won't sleep until they've figured it out.

Wake up, Nike, Apple, and all other computer technology-involved manufacturers -- security matters. You'd better take the time to consider it during the design phase, or you'll be sorry in the end.

Now, if you'll excuse me, it's time for me to go for a run. Where did I put that old Walkman, anyway?

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5