These days Bluetooth-based gadgets are everywhere, including for car and solar batteries. After connecting them up to the battery, you download the accompanying app on your smartphone, open it up and like magic you can keep tabs on your precious pile of chemistry that keeps things ticking along. Yet as [haxrob] discovered during an analysis, many of these devices will happily pass your location and other information along to remote servers.
The device in question is a Bluetooth 4.0 Battery Monitor that is resold under many brands, and which by itself would seem to do just what it is said to do, from monitoring a battery to running crank tests. Where things get unpleasant is with the Battery Monitor 2 (BM2) mobile app that accompanies the device. It integrates a library called AMap which is “a leading provider of digital map in China” and part of Alibaba. Although the app’s information page claims that no personal information is collected, the data intercepted with Wireshark would beg to differ.
In part 2 of this series, the BM2 app is reverse-engineered, decompiling the Java code. The personal information includes the latitude and longitude, as well as GPS, cell phone tower cell IDs and WiFi beacon data, which understandably has people rather upset. In addition to leaking your personal info, the BM2 app seems to be also good at running constantly in the background, which ironically drains your phone’s battery at an alarming rate.
Cases like these should be both a warning to not just install any app on your smartphone, as well as a wake-up call to Google and others to prevent such blatant privacy violations.
(Thanks to [Drew] for the tip)
Now to make a hacked version that floods them with fake data.
My phone could be a lot more useful for me if I bothered to install all those neat apps that also spy on me.
I bought one of these earlier this year, haven’t got around to setting it up yet, guess I’ll hold off for now. I wonder if the iPhone app phone home too?
This is more confirmation of what we already know. The battery monitor itself and the fact that it is from china changes little really.
I mean, why do you think every store wants you to install your app to have “discounts”, McDonalds has an app, as does every airliner, bank, drugstore, public transport system, car rental, etc etc.
Every single one of them is interested in collecting every bit of data they possibly can.
No matter where it comes from, every time you install an app you are giving them access to your personal information. The difference with this is that they send it to china, which has a harder time using it to squeeze more out of you I guess.
On my Android phone I just disable network access to an app like this. Or better yet, don’t buy something that requires an app in the first place.
Yup they are using the Meta gameplan and expanding it as much as they can get away with
Why would people be upset? Most people have TikTok, and other apps like this doing the same thing all day long. We are so monitored by so many things these days you would be a fool to think your not.
You deliberately install a “social” media app – or not. I do not. But when you just want to connect to an innocent looking battery monitor, use Bluetooth as an invisible serial cable, I would not expect the app to access my location or network or sedn any data at all to the internet.
“Cases like these should be both a warning to not just install any app on your smartphone, as well as a wake-up call to Google and others to prevent such blatant privacy violations.”
But Apple’s walled garden is the greatest threat to freedom ever!!! /s
Yeah, the solution to privacy problems is obviously to centralize all power and personal data in the hands of a single private company, specially one with zero transparency of accountability.
When such a company wants to lock their users (and data) in their own systems it is obviously for their own benefit.
You can either have a non walled garden and user tracking or a walled garden…. and also user tracking:
“The iPhone iOS version can be found here. While I have not peformed any static analysis on the iOS decompilations to date, inspection of the network traffic from the phone reveals that that the Apple iPhone version is also sending location data to remote servers.” — source: the exact article linked.
“The personal information includes the latitude and longitude, as well as GPS, cell phone tower cell IDs and WiFi beacon data”
But of course. This will help when the US is declared a territory of China. Need to know where all it’s citizens are.
Netguard
Install it, block everything and see what is trying to be too talkative.
Use the Github version rather than the Play Store version and get device-wide adblocking to boot.
And just don’t install crap to start with….
https://github.com/M66B/NetGuard
Trying this now, thanks for the tip!
I think some of this has to be blamed on Andriod SDK also, eg for accessing BLE the SDK forces user to grant permission to Location data as well, not sure wht on technical earth is preventing them to have acess only to ble radio chip and not GPS chip, seems like the data greedy compsny is google itself..
I think they’re often one and the same. At least the modules I’ve worked with. Having separate packages for each RF would be less efficient.
My understanding is that, ironically, this change was meant to improve privacy. Before Android 5 (I think), the location permission was not required to scan for BLE or WiFi, but the results of such scans could be indirectly used to infer the location of the user. The “solution” is just as bad as the problem though.
I guess I’m an endangered species. No cellphone. No “smart” devices.” No “cloud” storage. No paid software, much less “subscriptions.” No IoT devices – with the exception of my computers, that are highly firewalled and secured…
I don’t really like automatic battery chargers. I prefer straight transformer/rectifier units. This, though… there is no WAY my battery charger needs bluetooth or network connection through an “app.”
Same here…no interrupting cellphones beeping all day. Reminds me of how things used to be in the 80’s. I can only describe my daily compute experience as…bliss…everything just works, so I can actually get work done (and a lot of it). :-)
When I was a kid I had some of the earliest pocket computers with phones in second hand and they were great, both a useful phone, handy calculator, camera that while not great was useful, the office type suit of programs that lets you look at (and edit if you are desperate) your files, web browsing when you need it. All great stuff as a supplement to doing real work/learning (and with games if you wanted them too, which is great for those times the train gets delayed). The OS on those things was rather more truly just an OS, and everything works offline perfectly. Not as modern devices (including computers if you run Windoze) that want to phone home, shove ads at you and spy for good measure!
Now I still have a smartphone, as a way to stay in touch with folks is in the modern world rather required, and the web based messaging and calls are massive cheaper than SMS etc. But de-googled is the preference, and I don’t really use it much, it gets off the desk pretty rarely. It is still just too useful when away from a more real computer to go without but it doesn’t really get to feed any data to anybody that wouldn’t be trivial to find in other ways.
I am however entirely with you on IoT, Cloud, and subscriptions for software. Though there are still some programs I use that are paid for – great as open source stuff is there are a few niches where it is less direct of a replacement, and times you go with the crowd for file compatibility. Pretty rare cases these days, but it does still happen.
Probably, just to be authentic, with old fashioned selenium plate rectifier, or not? Like the old car battery charger of my grandfather.
A modern battery, unlike the old edison nickel-iron battery, is sensitive to overcharging. I do not want to carry the responsibility to personally supervise such a simple task as battery charging. I consider this only slightly more interesting than watching paint drying. Therefore I like automatic battery chargers. And for this purpose they also do not need to be “smart” or IoT, but “transformer and rectifier alone” has already damaged some batteries for me
Yee, charging my lithium-iron motorcycle batteries with a manual rig from the 40’s is not on my to do list.
We’re not an endangered species, people just assume so because we’re much harder to find ;)
About the same for me. Basic cellphone for emergencies only (switched off almost all the time), no smartphone, no “social” media, Linux on my computers with FLOSS only (except firmware blobs when there is no other way), …
But i guess – and that is really scary – a lot of people don’t even CARE that some app is sending their life to some servers in whatever country. :(
And don’t forget that new satellite system that can interact with BT from orbit. I just assume these days that if you are emitting any form of EMR then somebody knows exactly where you are, and possibly from analysis using an AI even what you are doing.
I think even with best AI the 2,4Ghz band is so full of wideband noise, that tracking an individuum from a satellite is (nearly) impossible.
I gather that you are not familiar with beamforming using phase arrays? Seriously, I would never assume that you can disappear in the noise. They wouldn’t have launched a space based BT system if it wasn’t possible.
6 months later and StarLink launches satellites that can communicate with standard phones.
I installed ProxyGen on my iPhone and I wish I didn’t do that. It is a man-in-the-middle attack app that shows all HTTPS traffic unencrypted. Open few apps and you have megabytes of data going out.
First aid on iPhone is to install Lockdown, it doesn’t block all but it is still mandatory for everyone!
The amount of data leak from apps is just horrible. We are tracked more than ever. Data is new gold in bad meaning.
I have a Xiaomi Flower Mate or whatever it is called. Is also supposed to be used with some app that asked way too many permissions and probably sends loads of data to China. So instead it is being read by a Domoticz plugin.
None of this is to do with it being a bluetooth device. The app is collecting the data, the app is sending the data. The bluetooth device is there purely as an incentive to install the app.
This was my thought exactly.
Close, the bluetooth device is not just there as an incentive, it’s there so you have to enable location permissions to the app otherwise it doesn’t work. It’s a flaw in the granularity (or lack there of) of the Android permissions.
I did buy this and have the battery monitor installed in my truck. I recall an earlier version of the app did still run if you denied GPS access… like use your own common sense (if this still exists): “Why does a battery monitor require GPS access?”. However, at some point, the updated app would abort installation if GPS access was denied. So I too aborted it’s installation… Very arrogant and insistent of them. Make sure you all comment under the review section of stores this is available from to warn others! This battery monitor hardware could benefit from a third party app without the spyware!
I was considering this myself, shouldn’t be too hard to sniff?
On recent Androind the system enforces that you grant GPS permission to be allowed to use the Bluetooth radio. Any app will thus require it.
Got a bluetooth thermal printer that does the same. Mercifully it is otherwise so generic that simply plugging it in via usb works perfectly fine with generic printer drivers but I still cracked it open and removed the bluetooth component because it would aggressively attempt to connect to the first usb device it could find.
Something like the Sony Erisson P800? I still have mine from the early 2000’s. Actually, only needs a new battery to function as a basic smartphone again. Symbian OS…
In my country they have turned off 2G and 3G mobile phone networks. Unfortunately all the old phones that “just worked” are e-waste now.
Well I’m running CalyxOS on my phone and install very few apps. And most of those are well established open source ones. Now it’s just the phone carrier that can spy on my location (in theory at least).