BM2 et al security concerns

roadtripper

2021 Caravelle Executive
Moderator
VIP Member
T6 Legend
So I thought a bit before posting this as I know these are hugely popular and indeed useful and I've got one in my "to fit" pile. However this is somewhat in my day job territory and others may not run across it so I thought it useful to let others know.

For the quick summary a reasonably well know security researcher has discovered that the app used by the BM2 type battery monitors collects a lot more private information than they disclose or indeed need, mainly continuous location. They have seemingly responded to this but mostly by disclosing a little more rather than stopping the data collection.

It's a personal choice how comfortable you are with this given the highly useful data you can get, after all the hardware and software development likely isn't covered by the purchase price of the hardware alone. But as this data is not disclosed you can't make an informed choice.

Personally having seen this I'll likely still use the one I have bought, but I'll be installing the app on an old secondary phone for things I don't fully trust, not my own or work's "daily driver" phone.

Anyway the details and research are here:

 
On iOS, you can go to Settings -> Privacy & Security -> Location Services -> Battery Monitor BM2 and choose ”Never” for location access. Here’s my setting for Multi-Batt Mon (the app version that supports multiple devices)

1691072337230.png
 
On iOS, you can go to Settings -> Privacy & Security -> Location Services -> Battery Monitor BM2 and choose ”Never” for location access. Here’s my setting for Multi-Batt Mon (the app version that supports multiple devices)

View attachment 208217
While this does limit some of the data (more so than Android where unfortunately Google choose to tie Bluetooth security to having accurate location permission) there is still more data than I would be comfortable with apparently being sent.

Given the lengths the Android app seems to be going to both record location traces and hide them with encryption until they can be uploaded if I were on Apple I wouldn't wait for someone to do a similar in depth analysis of the iOS app to see if it behaves the same.

For instance if it's recording cell tower IDs (and it is in Android) then your location can be quite easily inferred from the information they are gathering from the Android data.

Without wishing to fashion headwear from cooking foil there is so much value in location data that companies have invested serious effort in how to infer it with first order location data (such as GPS) missing. I think the last report I found listed about 40 ways of using legitimate operational information to get reasonably precise location. This article lists 4 common ones for Android:

 
So I thought a bit before posting this as I know these are hugely popular and indeed useful and I've got one in my "to fit" pile. However this is somewhat in my day job territory and others may not run across it so I thought it useful to let others know.

For the quick summary a reasonably well know security researcher has discovered that the app used by the BM2 type battery monitors collects a lot more private information than they disclose or indeed need, mainly continuous location. They have seemingly responded to this but mostly by disclosing a little more rather than stopping the data collection.

It's a personal choice how comfortable you are with this given the highly useful data you can get, after all the hardware and software development likely isn't covered by the purchase price of the hardware alone. But as this data is not disclosed you can't make an informed choice.

Personally having seen this I'll likely still use the one I have bought, but I'll be installing the app on an old secondary phone for things I don't fully trust, not my own or work's "daily driver" phone.

Anyway the details and research are here:


Thanks for the heads up, as the article says there can be no legitimate reason for a battery monitor collecting location data. This type of thing is all too common and while they can get away with it, they will.
 
the BM2 APP had journey tracker , so a reason for location etc.


+++

1691078431919.png1691078442585.png1691078459111.png




+++
 
Back
Top