Can Your Bed Keep A Secret?

Maybe your first question is (and probably should be): What secret could my bed have and who would it tell anyway? If you have any familiarity with the Sleep Number bed you may also have heard of the Sleep IQ option that you can get. I had not previously heard of it, but when we went to buy a new bed I became aware of this innovation.

I have a Samsung Gear S3 watch that tracks my sleep, probably in much the same way as Fitbit and many other wearable devices. It lets me know how long I was sleeping restlessly, lightly and motionlessly. It gives me total time asleep and an efficiency rating. I have no idea how it decides these categories but in general, it seems to match my perception of whether or not I had a good sleep. Higher efficiency numbers seem to correlate to a better night’s sleep. This data is between me and my watch and my phone where the history lives. Barring malware, this information goes no further. I typed that sentence and then decided to check my phone. While I have no apps installed that share my health data, it turns out my data does go to Samsung servers.

Thinking about that, I wound up going down an internet rabbit hole trying to find out what data they had about me. Unfortunately the trip produced no results. So I assume that whatever data I see in the app, they have. Their website assures me that this is okay because as they say:

So I decided to track down Samsung Knox, if possible and see what it was/is. Knox is supposed to be an enterprise scale security solution. It is supposed to let you partition work and personal data on your phone and is/was available from vendors selling Samsung phones. I use ‘is/was’ because the status of Knox seems to be rather fluid. Back in 2014, a researcher blogged about some deficiencies in Knox Personal, which was then replaced by My Knox. In 2017 My Knox was discontinued and Secure Folder became the chosen security method for Samsung devices running Android Nougat 7.0 or higher.

Secure folder has some nice features (taken from this article):

• Apps and data moved to Secure Folder are kept separate, leveraging SE for Android – preventing unauthorized communication between apps inside and outside Secure Folder.
• Application data and files are encrypted withdefense-grade Sensitive Data Protection (SDP)technology – using a 256-bit AES cipher algorithm to secure data.
• Data remains encrypted even after the user has exited Secure Folder or has turned off the device, and is decrypted when a user authenticates to access the Secure Folder. But keep in mind that Secure Folder authentication is just a gatekeeper to the encrypted data.

My Galaxy S8+ can use this app but it has to be added manually. So that is good – my data and apps can be set up so it is very secure, ON MY PHONE. What about Samsung’s servers? And why should I (and by inference, you) care about your data on someone’s servers?

This article talks about two CNET.com folks who asked some security experts to look at the dark web and see if any of their personal information could be found. The results?

“Detailed information about Graham was included in a WikiLeaks-related “fullz” dump, a data breach that can include financial information like Social Security numbers, credit card numbers, date of birth and mailing addresses. Fortunately, most of Graham’s information was related to a prior address or no longer relevant. Still, his information, along with the details of several thousand additional users, was for sale at the cut-rate price of $69.”

“My [the article’s author] exposure was slightly greater. Terbium found my name, email address and other personal details that were associated with my current phone number on a fraud site called Black Stuff. By plugging some of the information into the dark web site Torch, I was able to uncover additional details, including older geographic coordinates.”

That information came from some server somewhere. Possibly some apps the authors used or some data that was entrusted to someone for some reason. Note the last part of the second paragraph “geographic coordinates”. That means your location. In this instance they were older and presumably not meaningful, but what about some other breach? Could someone be selling your current whereabouts? This can be a serious issue in cases of spousal abuse or stalking or high profile people subject to kidnapping.

So my watch knows where I go. My phone knows where I go. My bed knows how and when I sleep and I need to trust a lot of other people to keep all that information secret. I don’t know about you, but that does not make me feel all warm and fuzzy about keeping what I do between me and my devices. It takes a lot of effort to set up what little control we have over our data. Keep in mind that whenever data is collected, by definition it is stored somewhere. The bad guys are out to get that data and sell it. We all need to be very careful about what kind of data we allow to be collected and with whom we share it. These days, data breaches are a fact of life and it is truly a matter of when not if your data will be exposed.