You are currently viewing a new version of our website. To view the old version click .
MDPIMDPI
Search all articles
Proceedings
Download PDF
  • Proceeding Paper
  • Open Access

26 October 2018

Assessment of Fitness Tracker Security: A Case of Study †

,
,
and
1
University Carlos III de Madrid, Avda, de la Universidad 30, 28911 Leganés, Spain
2
Alumni University Carlos III of Madrid, 28911 Madrid, Spain
*
Author to whom correspondence should be addressed.
Presented at the 12th International Conference on Ubiquitous Computing and Ambient Intelligence (UCAmI 2018), Punta Cana, Dominican Republic, 4–7 December 2018.
Proceedings2018, 2(19), 1235;https://doi.org/10.3390/proceedings2191235
This article belongs to the Proceedings UCAmI 2018
Version Notes
Order Reprints

Abstract

The wearable industry has experienced a notable growth over the last decade, especially in fitness or e-health trackers. These trackers bring new functionalities that require collecting a great amount of sensitive information about the user. This fact has made fitness trackers the target of deliberate attacks, e.g., eavesdropping, unauthorized account access, fake firmware update, and so on. For this reason, this paper describes a vulnerability study on one of the most popular fitness trackers in 2017, together with the mobile application associated to the tracker. The study results show what vulnerabilities of the communications among agents (i.e., wearable device, mobile application and server) could put at risk users sensitive information and privacy.

1. Introduction

The Internet of Things (IoT) paradigm has encouraged the creation of environments with interconnected highly heterogeneous entities and networks. This can be reflected in the notable growth of wearable devices and applications over the last decade. Many of the devices are focused on monitoring physical activities for healthcare. That is the case of personal fitness trackers or wristbands, which offer new functionalities that require the collection of a wide amount of sensitive information about the user.
Fitness trackers designed to be worn all day long by users, track steps and physical activity of their owners, but they are also able to track their sleep duration and consistency, and many other factors related to users’ health. Therefore, they are designed to locally gather all the information they can about the user throughout the day. The gathered information can later be synchronized with a mobile application, and then sent to servers controlled by fitness tracker manufacturers.
There is an intrinsic need to ensure users privacy and to minimize security vulnerabilities. For this reason, several studies [1,2,3,4,5,6] have showed the vulnerabilities and risks of these devices and security improvements have been carried out. Nevertheless, recent studies [7,8,9] have discovered still privacy and security issues, e.g., related to geolocation or unclear policies leaving the door open for the sale of users’ fitness data to third parties without express consent of the users. In this study we analyse the potential security vulnerabilities of the communication of one of the most popular fitness trackers in the market1 with the mobile application, the synchronization with the manufacturer’s servers, and the data shared with third party applications. The tracker -used in this study- has not been analysed in the literature and uses the same protocols that are used by most devices. In addition, the study has been carried out during several months, allowing us to discover privacy vulnerabilities that have not been analysed so far in the literature. The OAuth2 protocol implementation has been also analysed, as part of the traffic exchanged between the mobile application and the servers. To carry out the study, we have used Bluetooth test tools and sniffer software.
This paper is organized as follows. Section 2 describes the previous studies performed about vulnerabilities in personal fitness trackers and introduces Bluetooth Low Energy (BLE) as communication protocol between wearable and mobile devices. Section 3 gives details about the study performed. Section 4 describes the privacy and security vulnerabilities found in the communication between wearable and mobile app, the communication between mobile app and server and the API. Finally, Section 5 contains the conclusions, recommendations from the results and future work.

3. Study Description and Setup

The vulnerability study has been mainly focused on the possible privacy and security vulnerabilities of the communications among agents: wearable device, mobile application and server. So the study has been divided in two main sections: the communication between wearable device (i.e., fitness tracker) and mobile application (i.e., in Android, iOS and others) using BLE; and communication between mobile application and server, using Internet. In addition, the manufacturer offers an API service for third party applications to interact with the user’s data. The API offers a registry process that involves OAuth 2.0 protocol [17,18].
The communication between the tracker and the mobile application is handled by BLE, also referred to as Bluetooth Smart. For sniffing the BLE communication, a passive analysis was carried out by employing two different methods:
  • enabling the Bluetooth HCI snoop log Developer Options feature in Android phone. When this feature is enabled, a log file (btsnoop_hci.log) is created. In this file, all the BLE HCI packets (i.e., packets exchanged between controller and the host interface) are registered.
  • using an Ubertooth-One hardware and software (in a laptop) to monitor and decode Bluetooth packets.
The resulting dump file in the Android phone and the traffic captured by Ubertooth were inspected by using Wireshark. In addition, we use mobile apps such as BLEScanner and nRF Connect.
The communication between the mobile application and the server (e.g., cloud-based services) uses HTTP/HTTPS and the OAuth 2.0 protocol for authorization. Applications to capture the traffic were used such as Inspeckage and mitmproxy. These same tools were used for testing third party applications. In addition, we make reverse engineering in the mobile app in order to bypass the certificate pinning.
The whole scenario is depicted in Figure 2, where different agents interacting and a laptop with the sniffer tools and also the Bluetooth hardware can be seen.
Figure 2. Scenario for communication testing.
The study was carried out during four months approximately. In those months, we performed different tests to assess the security of the tracker, mobile app and server communications and API. The Table 1 shows the tests carried out in: the communication between wearable and mobile devices (Section 4.1), the communication between mobile app and server (Section 4.2) and the API (Section 4.3).
Table 1. Tests carried out for each part of the study.
The data managed by this kind of devices are related to the user, such as personal, contact and physical activity, and to the device. Table 2 summarizes the attributes that can be managed, grouped by basic and additional attributes. “Basic attributes” are the data given by the user when creating an account and registering his/her device, information collected by the tracker and the technical information about device when it synchronizes with the mobile application. “Additional attributes” allow users to provide more information in order to enjoy additional services (e.g., associating a Facebook or Google+ account, sending messages and logging food) or customize his/her account (e.g., profile photos).
Table 2. Data managed by fitness trackers.
These data represent the assets to be protected, because these are shared by all agents in the scenario. The data can be grouped in three categories according to the sensitivity of the information: PD, AD and DI. PD contains the personal data and contact information that allow identifying the users, called Personally Identifiable Information. AD contains the user’s physical activity data gathered by the wearable device. With the aggregated activity data would be more difficult to identify a user (than using PD). DI contains information about the tracker or the user’s mobile phone, including location.

4. Vulnerabilities Results

4.1. Vulnerabilities in the Communication between Wearable and Mobile Devices

After analysing the pairing and synchronization processes (i.e., T1 to T3 in Table 1) between wearable and mobile devices, using manufacturer mobile app and free apps to manage BLE connections, the more relevant possible vulnerabilities found were:
  • Use of Public BDAs and General Discovery. After keeping track of the fitness tracker’s BDA, it was found that its value did not change, which involves that it uses a Public BDA. Given its value is fixed and unique, a user could be tracked by this identifier, violating her/his privacy, because this information is contained in all the advertising PDUs.
    In addition, the risk increases if we take into account the release of applications such as RamBLE that scan for BLE devices in order to obtain information from their undirected advertising packets (ADV_IND) and their SCAN_RSP. Besides, the application also stores the device’s BDA with the geographic location at which it was detected. The information is shown graphically in a map. This information can be obtained easily, because the tracker always uses general discovery instead of direct discovery, even after being bonded with the mobile phone, so the ADV_IND packets are always sent.
    For this reason, devices send advertising packets and respond to scanning requests. Thus, it is also possible to develop an app that sends SCAN_REQ messages and the wearable device answers with a SCAN_RESP. The response contains information about device: its name and the current transmission power. This information may be used to plan a denial of service attack.
    This weakness is emphasized by the fact that the tracker always sends undirected advertising instead of direct discovery (i.e., ADV_DIRECT_IND), even after being bonded with a mobile phone. So devices are constantly sending advertising packets and responding to scanning requests. In this sense, a DoS attack can be led.
      
  • Not use of BLE Secure Connections. Sniffing the pairing of the application and the tracker, we can observe that the out of band (OOB) method is used to set the keys. This is one of the legacy methods, Secure Simple Pairing model, and it is not using the long term key derivation using ECDH as proposed by BLE security specification. Figure 3 shows the capture of the bonding negotiation where the OOB method is identified. The key is generated only once, in this initial pairing and stored in the bonding with the device. Despite the new BLE security specification is not followed, we were able to see its own encryption and integrity (24-bit CRC) to protect the Bluetooth connection.
    Figure 3. Bonding Negotiation.
      
  • Connections with unbounded devices. We also found the device accepts connections from non-bonded devices, similar to results of other studies. This process leaks several details about services and UUIDs, and BDAs. Armed with the UUID of a device, an attacker can monitor the tracker even if a private BDA was used. Even worse, we found that using a Bluetooth scanner application, e.g., BLEScanner or nRF Connect, we were able to modify the value of some attributes, for instance the tracker name. This can at least confuse the user (see Figure 4).
    Figure 4. Non-Bonded but connected device altering attributes.
All of these possible vulnerabilities are related to the assets PD and DI: users’ location and device information.

4.2. Vulnerabilities in the Communication between Mobile Devices and Server

The mobile device runs an app which communicates with the server. The application plays the role of forward proxy. In this part of the study, eight tests related with signing, logging, edition, pairing and synchronization processes were carried out (i.e., T4 to T11 in Table 1).
In order to inspect the security of this communication we used a proxy to inspect the traffic between them. The proxy was configured to intercept and impersonate the server to the client, issuing certificates on the fly according to the incoming requests from the devices. The certificates have to be issued according to the expected CommonName, the AltName, and the SNI (Server Name Indication) requested by the client at the initiation of the connection.
The CA (Certification Authority) certificate used by the proxy to dynamically issue the certificates has to be installed in the mobile device. This should be enough to have access to the clear text communications of the app with the server. Luckily, certificate pinning has been deployed in the app. This extra security measure allows the app to refuse a secure connection when the certificate passed by the server does not match the known certificate by the app.
To bypass the certificate pinning, the app has to be altered to remove the certificate pinning support. We download and disassemble the apk, locate the java methods where the certificate pinning is used. Inserting a return void statement at the beginning of the method suffices to bypass the certificate checking and thus the certificate pinning. We repackage the app and install it locally in the mobile device. Due to the mechanism of verification of certificates in Android when apps are installed, it is relatively easy to reassemble an app (.apk file), even using other certificates (i.e., fake certificates) different from developer.
At this point, we have access to the clear text communications between the mobile device and the server. We start the app and inspect the exchanged traffic for vulnerabilities and security issues.
  • Authentication credentials sent in cleartext. In Figure 5 we observe that the app uses HTTP Basic authentication to get an OAuth authentication token. This means the app is sending the email and password in cleartext to the server. Even though the connection is protected by TLS, the password should not be sent in cleartext. At minimum it should be hashed together with a nonce freshly generated for each connection to avoid pass the hash attacks. This fact compromises the assets PD, AD and DI.   
    Figure 5. Requesting OAuth token with cleartext passwd.
  • Misuse of OAuth2. The app also makes use of bearer tokens without protection mechanisms (e.g., digital signature, hashes, or others). OAuth mechanism does not require proof of possession of any key. The problem is that these tokens are extensively used by the apps without integrity means and they are valid for 8 hours, though according to RFC 6750 [19] they should be protected with a MAC (Message Authentication Code) and the maximum validity should be 1 h.
    Besides, once the tracker has been setup, the app is used to forward tracking information to the server. We have changed for instance the parameter btlename and the server does not complain. The Bluetooth device address and the ID of the user are sent encoded and kept constant, even after app reinstallation, making easier to track a particular user. This lack of privacy is worse if we look at the stats sent data such as user’s phone Android ID or the Wi-Fi SSID. These data can compromise the user privacy, and should not be sent to the servers.   
  • Unauthorized data share. Regarding data shared with third parties, together with data related to the tracker, the app also sends data regarding the mobile device (e.g., manufacturer, OS version, screen, paired devices and so on). This again should be explicitly authorized by the user. We must also say that the ID sent for these purposes is a different one from the ID used within the manufacturer servers.

4.3. Vulnerabilities in the Third Party API

Finally, we developed an application to test the public API for third party applications. In this part, we carried out four tests related with signing, logging and edition (i.e., T12 to T15 in Table 1).
We found some insecurities that may be improved, such as allowing the use of WebView, which does not offer the same level of protection as normal browsers, and can be easily faked. The API only supports access tokens but lacks support for OAuth Refresh tokens. Finally, we have detected that callback URLs do not force HTTPS, allowing MiTM attacks.

5. Conclusions and Future Work

This study shows that manufacturers have keep improving the design of their tracker devices. In spite of several improvements being introduced in security at Bluetooth Low Energy, they have not yet implemented them. It conveys possible vulnerabilities related to privacy and security. For many companies, security is only present at the latest phases of the design and during the maintenance period of devices, when they have to react to vulnerabilities and related issues. We expect the new EU Regulations on Data Protection and Privacy will help manufacturers understand the importance of security and introduce security in the whole design cycle, from the beginning of the design, to the end of the supported life. Some recommendations to correct the found main issues are:
  • Regarding the tracker-application communication, public BDAs are used. They should be replaced by private BDAs, or frequently changing addresses. The device should establish connections with trusted devices, not accepting connections with unbounded devices, nor making it possible the modification of some attribute values like the device name. Besides once the device is bonded with a trusted device, the tracker should only use Bluetooth Direct Discovery. General discovery brings no advantage here, only snooping the Bluetooth devices in the neighbourhood, which is not something meaningful for the purpose of the tracker, and for user side, no user data should be transmitted to the manufacturer servers.
  • Regarding the application-server communication, the bearer tokens should be adjusted to an hour or less, according to the standard. The use of cleartext passwords should be avoided and replaced by some of the many available schemas. At least, a hash including a session nonce. We could not assess the internal security measures of the manufacturer servers, but cleartext password storage must be avoided. Also the hardware identifiers should be avoided at this level of communication (tracker BDA), and explicit user consent is needed for each specific type of information that the app is transmitting (e.g., user Android ID, Wi-Fi SSID, observed Bluetooth connections). This data makes easier profiling users, and may get more cyber-criminal attention.
  • Finally, the manufacturer should improve the analysis of third party applications, effectively avoiding the access with WebView, banning callbacks to HTTP URLs, and implementing OAuth refresh tokens where the third party should be authorized every 30 days at maximum.
We are going to perform the study in other fitness trackers and to analyse privacy and security issues related to the use of data by third party applications and activity-based social networks.

Funding

This work was supported by the Spanish Ministry of Science and Innovation (MINECO) through the project INRlSCO: Incident Monitoring in Smart Communities (TEC2014-54335-C4-2-R) and MAGOS: Inteligencia de fuentes abiertas para “Smart Grids” (TEC2017-84197-C4-1-R).

References

  1. Rahman, M.; Carbunar, B.; Banik, M. Fit and Vulnerable: Attacks and Defenses for a Health Monitoring Device. arXiv 2013, arXiv:1304.5672. [Google Scholar]
  2. Apvrille, A. Geek usages for your Fitbit Flex tracker. In Proceedings of the Hack.lu Conference, Luxembourg, 20–22 October 2015. [Google Scholar]
  3. Cyr, B.; Horn, W.; Miao, D.; Specter, M. Security Analysis of Wearable Fitness Trackers (Fitbit); Technical Report; Massachusetts Institute of Technology (MIT): Cambridge, MA, USA, 2013. [Google Scholar]
  4. Clausing, E.; Schiefer, M.; Lösche, U. Internet of Things Security Evaluation of nine Fitness Trackers; Technical Report; AV TEST: The Independent IT-Security Institute: Magdeburg, Germany, 2015. [Google Scholar]
  5. Margaritelli, S. Nike+ FuelBand SE BLE Protocol Reversed, Technical Report; Evilsocket.net. 2015.
  6. Unucheck, R. How I Hacked My Smart Bracelet; Technical Report; Kaspersky Lab: Moscow, Russia, 2015. [Google Scholar]
  7. Schellevis, M.; Jacobs, B.; Meijer, C.; de Ruiter, J. Getting Access to your Own Fitbit Data; Radboud University: Nijmegen, The Netherlands, 2016. [Google Scholar]
  8. Hilts, A.; Parsons, C.; Knockel, J. Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security; Technical Report; Open Effect: Toronto, ON, Canada, 2016. [Google Scholar]
  9. Fereidooni, H.; Frassetto, T.; Miettinen, M.; Sadeghi, A.R.; Conti, M. Fitness Trackers: Fit for Health but Unfit for Security and Privacy. In Proceedings of the IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), Philadelphia, PA, USA, 17–19 July 2017; pp. 19–24. [Google Scholar] [CrossRef]
  10. Zhou, W.; Piramuthu, S. Security/Privacy of Wearable Fitness Tracking IoT Devices. In Proceedings of the 9th Iberian Conference on Information Systems and Technologies (CISTI), Barcelona, Spain, 18–21 June 2014. [Google Scholar] [CrossRef]
  11. Rahman, M.; Carbunar, B.; Topkara, U. Senscrypt: A secure protocol for managing low power fitness trackers. In Proceedings of the IEEE 22nd International Conference on Network Protocols, Raleigh, NC, USA, 21–24 October 2014; pp. 191–196. [Google Scholar]
  12. Rieck, J. Attacks on Fitness Trackers Revisited: A Case-Study of Unfit Firmware Security. arXiv 2016, arXiv:1604.03313. [Google Scholar]
  13. Hsu, J. The Strava Heat Map and the End of Secrets, Security news, Jan 2018. Available online: www.wired.com.
  14. Pham, A.; Huguenin, K.; Bilogrevic, I.; Dacosta, I.; Hubaux, J.P. SecureRun: Cheat-Proof and Private Summaries for Location-Based Activities. IEEE Trans. Mob. Comput. 2016, 15, 2109–2123. [Google Scholar] [CrossRef]
  15. Bluetooth SIG (Special Interest Group). Bluetooth Core Specification v4.0; w: Available online, 2009. Available online: www.bluetooth.com.
  16. Bluetooth SIG (Special Interest Group). Bluetooth Core Specification v5.0; w: Available online, 2016. Available online: www.bluetooth.com.
  17. Hardt, D. The OAuth 2.0 Authorization Framework; RFC6749; Internet Engineering Task Force (IETF): Fremont, CA, USA, October 2012. [Google Scholar]
  18. Denniss, W.; Bradley, J. OAuth 2.0 for Native Apps; RFC8252; Internet Engineering Task Force (IETF): Fremont, CA, USA, October 2017. [Google Scholar]
  19. Jones, M.; Hardt, D. The OAuth 2.0 Authorization Framework: Bearer Token Usage; RFC6750; Internet Engineering Task Force (IETF): Fremont, CA, USA, October 2012. [Google Scholar]
1
The fitness tracker model is not revealed to be compliant with the legal policy terms of service.
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Article Metrics

Citations

Article Access Statistics

Journal Statistics
Multiple requests from the same IP address are counted as one view.
Download PDF
Academic Failure in Higher Education: Socio-Cultural Analysis from the Perspectives of Students and Teachers in Mexico
Previous
Active Learning and New Technologies in Business and Economics Higher Education: The Je Suis Econplus Experience
Next