UW News

Archive

December 7, 2006

You can run but you can’t hide: UW graduate students expose possible privacy breach in Nike+iPod Sport Kit

UW News

Photo by Mary Levin
From left, Yoshi Kohno, Carl Hartung and Scott Saponas with devices they built to pick up on the Nike+iPod signal.

Most college term papers don’t make the national news. But a fall quarter computer science project by UW graduate students grabbed headlines over the past week. And long after CNN, NPR and Fox News have moved on to other stories, the project may affect how consumer electronics are manufactured.

It all started in October when computer science and engineering graduate students Scott Saponas and Carl Hartung began a term project for CSE599, “Selected Topics in Computer Security.” Casting about for a good topic, they turned to Saponas’ new exercise accessory: the Nike+iPod Sport Kit.

“I was using this gadget in my workouts, and I started wondering about how the sensor in my shoe was communicating with my iPod,” says Saponas, who is an avid runner. “I wondered if somebody could intercept the signal.”

Since its August release retailers have sold more than 450,000 Nike+iPod Sport Kits, according to AppleInsider. One piece is a chip the size of a dinner mint that acts as a pedometer, which runners slip into their shoe. The other piece is a receiver that fits into an iPod Nano and stores information beamed from the person’s foot. After their workouts, high-tech runners can upload the data and use a Nike software program to track their distance, speed and calories burned.

The students invited electrical engineering graduate student Jonathan Lester, Saponas’s lab-mate, to join the group. Together they discovered that the sensor in the shoe emits a unique signal detectable by any compatible receiver within a range of up to 60 feet.

“Once we figured out that we could read the serial number, we decided to see what we could do with it,” says Lester. “The project just kind of snowballed.”

Working with assistant professor of computer science and engineering Yoshi Kohno, an expert on computer security, they prepared a technical report to document their findings and generate public discussion about the privacy of new technologies. The students also filmed an accompanying video showing a privacy breach.

Not content to just speculate about what might go wrong, the group concocted a variety of homemade devices able to pick up the signature. The simplest connects a receiver from another Nike+iPod kit to a laptop’s serial port. A more sophisticated system uses a matchbox-sized computer with wireless Internet access to record multiple users’ whereabouts, send the information to a central server, plot people’s locations using GoogleMaps and alert the person doing the tracking with an e-mail or text message.

The technical report describes possible scenarios. A thief could track when people enter or leave their homes. A jealous boyfriend could track a woman’s movements, or compare them with the movements of a suspected rival. Although a receiver only picks up the signal when a person is within range, a stalker could hide receivers near a home, a gym and a restaurant, for example, to closely monitor his or her target’s movements.

The researchers report that it took them an afternoon to figure out how to decode a receiver’s unique tag and a few hours to write the code that interprets the sensor data. They estimate that an electronics hobbyist could build a system in a few hours, or at most a weekend. And if somebody posted sensor-scanning code on the Internet, it would be easy for others to build copycat devices.

The team tested the technology to track each other’s movements and those of colleagues in the UW computer science building. Ethical concerns prevented them from trying the device on unsuspecting targets. But because the signal can be picked up silently by any number of receivers, they say there’s no way to know whether this spying technique has already been put into practice.

Researchers suggest that people who own a Nike+iPod Sport Kit turn it off when they’re not exercising so that it stops emitting signals. The report also suggests a number of ways the company could have made the device more secure using standard techniques from modern cryptography.

Electronic privacy relates to the students’ research on ubiquitous computing, a field that seeks to integrate computers into the environment around us.

“A lot of ubiquitous computing applications involve wireless communications,” says Hartung. “And anytime you send information through the air you have to be conscious of what you’re sending, and what people could possibly intercept.”

“There’s a bigger issue here,” agrees Kohno. “When people buy a consumer device like the Nike+iPod kit, they generally have no way of knowing whether the device might enable someone to violate their privacy. We need to change that.”

News stories on CNN and Fox News are one thing. But will these students pass their class? Kohno smiled, but he was mum on the subject — like other students, they’ll have to wait to get their results in January.


A three-minute video on the project and a copy of the technical report are posted at www.uwnews.org and at www.cs.washington.edu/research/systems/privacy.html.