Home » Cybersecurity » Mobile Security » The Shared Security Weekly Blaze – Polar Fitness App Location Data Exposed, Blocking Scam Phone Calls, Samba TV Privacy Controversy

The Shared Security Weekly Blaze – Polar Fitness App Location Data Exposed, Blocking Scam Phone Calls, Samba TV Privacy Controversy

by Tom Eston on July 16, 2018

This is the Shared Security Weekly Blaze for July 16th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!

Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!

Show Transcript
This is your Shared Security Weekly Blaze for July 16th 2018 with your host, Tom Eston. In this week’s episode: Polar fitness app location data exposed, blocking scam phone calls and the Samba TV privacy controversy.

The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.

Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Sponsorships Available

I wanted to clarify a few details about the new California Privacy Act that I discussed on the Weekly Blaze podcast last week. While this law applies only to California residents, it will most likely have broader implications for all major businesses in the US. Most major companies that deal in personal data, have some California customers. That will leave those businesses with two options: either build systems and procedures to comply with California law, or treat Californians one way and every other customer another. It should be interesting to see how this plays out in the coming months before this law is made official in 2020.

Here we go again with more fitness apps exposing the location of spies and military personnel. You may remember back in February on the second episode of the Weekly Blaze podcast we discussed how the popular fitness app Strava inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. This information was all found though Strava’s publicly available “world-wide heatmap” of Strava users. This time around it’s fitness tracker Polar’s turn which has an app called “Polar Flow” that has a developer API that can be improperly queried. In addition to viewing the public Polar user map, the data exposed includes all user details including GPS coordinates. Journalists from the Dutch news site De Correspondent were able to identify over 6,400 users across 69 different nationalities that have been using the Polar Flow app to see who they are and where they worked using Google and LinkedIn to correlate the data. Many of these users were found to work for different government agencies including the Dutch military. Dutch authorities have noted that this is a major problem as there are rules about how the Dutch military should not wear their uniforms in public or have other personal information exposed which could identify them due to recent terrorist threats on military members and their families.

Polar responded last week by taking it’s publicly available activity map offline and issuing a statement noting that all users have “opted-in” to have their private information shared, as by default all workouts are private. However, no word from Polar about that misconfigured developer API. The Dutch military, as well as other countries, have started banning the use of fitness trackers due to these security concerns. Like we always mention on the show, even if you make sure your privacy setting in fitness apps like these are locked down, there may be ways, like insecure developer APIs, that could be used to pull your private data anyway. Let this issue with Polar be a reminder that you need to determine for yourself if you accept the risk of putting your personal workout data and location out there for anyone to potentially access.

Don’t you hate robocalls, telemarketers, and scammers calling our phones day in and day out? Well Google announced last week that they going to be adding a new feature to their phone app called “Call Screen” which will automatically screen calls for unknown and suspicious numbers. This new feature, which looks like it may launch on the Google Phone, will make suspicious calls answer one or more automated questions. The audio and audio transcription of the answers are then relayed to the call recipient so they can decide if they want to answer the call our not. This feature comes on the heels of a new “warning filter” that was implemented for telemarketing calls that is now part of Google Phone.

Nothing like this currently exists on Apple iOS, unless you install a third-party app such as RoboKiller which looks for scam calls via a blacklist of known scam numbers. However, it’s good to see Google stepping up to tackle the huge problem we have with scams that are all coming through our phones. According to the most recent fraud report by the US Federal Trade Commission, 70% of all fraud that was reported to the FTC were through phone calls. This totaled around $290 million in loss for victims. Hopefully what we see Google doing to help address this huge problem will carry over to Apple and other device manufactures as well.

Last week, two US Senators have called for an investigation into the business practices of smart TV manufactures because of recent privacy concerns about new technology that is being used to track consumer’s viewing habits. Most recently a New York times article called out Samba TV, which admitted that it collected viewing data from 13.5 million homes. The article questioned Samba TV’s relationship with major TV manufactures like Sony, Sharp, and Philips. Samba TV is installed on many newer smart TVs and allow users to “Interact with your favorite shows. Get recommendations based on the content you love. Connect your devices for exclusive content and special offers. By cleverly recognizing onscreen content, Samba Interactive TV lets you engage with your TV in a whole new way.” What I just read to you is exactly what Samba TV users read before opting in to allow viewing habits to be tracked. What the senators have concerns with is that there is no language about how much data is collected, how the data is shared and how to opt-out of being tracked. By opting into the Samba TV tracking you agree to your viewing habits being completely monitored which can even include what video games you may play, shows and movies you watch and can allow tailored ads sent to phones and laptops that share the same internet connection as your TV.

This is not the first time that a company has been in trouble for shady TV tracking practices. You may remember last year popular TV manufacture Vizio settled with the Federal Trade Commission to the tune of $2.2 million dollars for its collection and selling of viewing data of its users without their consent.

Our advice is that if you use Samba TV or any other similar application on your TV, review your settings and opt-out if tracking your viewing habits is a privacy concern to you. As the privacy debate grows stronger in the US and overseas it’s going to get really interesting to see how manufactures react to new government privacy regulations. As always, you have ultimate control of what data you share including your TV viewing habits.

That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.