BM2 et al security concerns

roadtripper

roadtripper

2021 Caravelle Executive
VIP Member
T6 Legend
So I thought a bit before posting this as I know these are hugely popular and indeed useful and I've got one in my "to fit" pile. However this is somewhat in my day job territory and others may not run across it so I thought it useful to let others know.

For the quick summary a reasonably well know security researcher has discovered that the app used by the BM2 type battery monitors collects a lot more private information than they disclose or indeed need, mainly continuous location. They have seemingly responded to this but mostly by disclosing a little more rather than stopping the data collection.

It's a personal choice how comfortable you are with this given the highly useful data you can get, after all the hardware and software development likely isn't covered by the purchase price of the hardware alone. But as this data is not disclosed you can't make an informed choice.

Personally having seen this I'll likely still use the one I have bought, but I'll be installing the app on an old secondary phone for things I don't fully trust, not my own or work's "daily driver" phone.

Anyway the details and research are here:

BM2 - Part 1 - Discovering that your Bluetooth car battery monitor is siphoning up your location data

Reverse engineering an Android app for a Bluetooth connected car battery monitor with some startling discoveries
doubleagent.net
 
On iOS, you can go to Settings -> Privacy & Security -> Location Services -> Battery Monitor BM2 and choose ”Never” for location access. Here’s my setting for Multi-Batt Mon (the app version that supports multiple devices)

1691072337230.png
 
n10n said:
On iOS, you can go to Settings -> Privacy & Security -> Location Services -> Battery Monitor BM2 and choose ”Never” for location access. Here’s my setting for Multi-Batt Mon (the app version that supports multiple devices)

View attachment 208217
Click to expand...
While this does limit some of the data (more so than Android where unfortunately Google choose to tie Bluetooth security to having accurate location permission) there is still more data than I would be comfortable with apparently being sent.

Given the lengths the Android app seems to be going to both record location traces and hide them with encryption until they can be uploaded if I were on Apple I wouldn't wait for someone to do a similar in depth analysis of the iOS app to see if it behaves the same.

For instance if it's recording cell tower IDs (and it is in Android) then your location can be quite easily inferred from the information they are gathering from the Android data.

Without wishing to fashion headwear from cooking foil there is so much value in location data that companies have invested serious effort in how to infer it with first order location data (such as GPS) missing. I think the last report I found listed about 40 ways of using legitimate operational information to get reasonably precise location. This article lists 4 common ones for Android:

Trend Report: Android Apps Inferring Location – International Digital Accountability Council

digitalwatchdog.org digitalwatchdog.org
 
roadtripper said:
So I thought a bit before posting this as I know these are hugely popular and indeed useful and I've got one in my "to fit" pile. However this is somewhat in my day job territory and others may not run across it so I thought it useful to let others know.

For the quick summary a reasonably well know security researcher has discovered that the app used by the BM2 type battery monitors collects a lot more private information than they disclose or indeed need, mainly continuous location. They have seemingly responded to this but mostly by disclosing a little more rather than stopping the data collection.

It's a personal choice how comfortable you are with this given the highly useful data you can get, after all the hardware and software development likely isn't covered by the purchase price of the hardware alone. But as this data is not disclosed you can't make an informed choice.

Personally having seen this I'll likely still use the one I have bought, but I'll be installing the app on an old secondary phone for things I don't fully trust, not my own or work's "daily driver" phone.

Anyway the details and research are here:

BM2 - Part 1 - Discovering that your Bluetooth car battery monitor is siphoning up your location data

Reverse engineering an Android app for a Bluetooth connected car battery monitor with some startling discoveries
doubleagent.net
Click to expand...

Thanks for the heads up, as the article says there can be no legitimate reason for a battery monitor collecting location data. This type of thing is all too common and while they can get away with it, they will.
 
the BM2 APP had journey tracker , so a reason for location etc.


+++

1691078431919.png1691078442585.png1691078459111.png




+++
 
You must log in or register to reply here.

Similar threads

A
T6.1 Discover Media - my experiences and issues
Replies
4
Views
3K
johnnnyboy
J
milner993
Full interior upgrade cost?
Replies
6
Views
2K
milner993
milner993
M
T30 255/40/20 - My Experience
2
Replies
22
Views
2K
z1ts
z1ts
Dellmassive
Beefing Up Your Vans Security - How I Done It -
6 7 8
Replies
157
Views
33K
Ali-G
Ali-G
Rapt0rUK
Renogy DCC50S + 100Ah Smart Lithium Install
6 7 8
Replies
145
Views
18K
Rapt0rUK
Rapt0rUK
Back
Top