Up to this point accessing data from RuuviTags has required physical proximity due to limited range of BLE transmissions, but once the data is sent to a default server maintained by Ruuvi pretty much anyone from anywhere can access the data.
- Violating user privacy
– Especially the movement data can be used to track lifestyle of individuals if the owner of the RuuviTag is known. For example a tag on bed tells when user went to sleep, how peacefully they slept and when they woke up.
– If user leaves a tag monitoring a remote location someone could trigger a false alarm by sending data which shows that water pipes are freezing etc.
Denial of service
– If someone can spam invalid data the invalid data may lead to excess bandwidth or storage usage. If data is downsampled, the value remaining after downsampling could be one of the spam values.
Protection against threats
Encrypting tag data
– The tag data is encoded with AES128 using a password and tag ID as the encryption key. For details about the encrypted data format please see this proposal. The attacker must have had physical access to scan the ID as well as know the user-configurable password.
Checksum on decrypted data, measurement counter
– The tag data contains a checksum of decrypted data, chances of anyone making a random string of bytes which matches the checksum is 1/256. Additionally the measurement counter value must be known by spoofer or spoof is detected by jumps in data.
Writing data to Ruuvi servers requires knowing MAC address
– The data is sent and queried by MAC addresses of the tags, which is a 46-bit random number. It is possible to query the address space to find some tags and start spamming them, or if the target MAC address is known it can be spammed. Any ideas on how to protect against this sort of attack? One solution is to use a dedicated server with access control, but we’d like to offer free (as in beer and speech) alternatives.
As always, we need to make compromises between security, convenience and pricing. Please let us know your ideas and feedback on this security model, at this point everything can be adjusted to meet the needs of the community.