Consumer IoT devices manifest in many forms, including fitness bands. We deep-dive into the wireless protocol of choice for wearables -Bluetooth Low Energy (BLE), and its impact from a security perspective. We’ll perform a live demo on stealing info from a fitness tracker using standard Android app.

Wearable devices are immediate, discreet and accurate forms of analyzing our health, activity and fitness. These devices have unprecedented opportunities to monitor and benefit humans. The enormous advantages of the device can be turned upside down to enormous disadvantages if the devices and the wearable ecosystems are not secured. These devices access, process, store and transmit a great deal personal and personally identifiable information belonging to their users. In our presentation, we talk about attacks and defensive security measures for fitness-class wearable devices. We discuss the security requirements, assurance activities and threats for each of the building blocks of the wearable (device, mobile apps and cloud), as well as for the end-to-end ecosystem, and how a flaw in single component can have a butterfly effect and cripple the entire ecosystem. Our talk includes analysis of Bluetooth and Bluetooth Low Energy (BLE) wireless protocols, which are popularly used by most fitness wearable products. We use one of many market-available hardware solutions for BLE traffic debugging - the USB-based Ubertooth-One, to perform packet sniffing on well-known activity trackers. We talk about how new vulnerabilities can surface under very specific conditions, when we have these new-age products working with smartphones (Android and iOS), which they almost always pair with. Our presentation includes real-time demonstrations of exploits on wearable device communication channels and code walkthroughs of these attacks. Using Ubertooth-One and capturing BLE traffic, we also demonstrate how it’s very simple to break the BLE encryption and extract the encryption key using open source software solutions. We conclude with a discussion on defensive measures and security best practices that vendors can adopt to protect against the attacks we demonstrate.

Structure of the Talk

[1] Blueprint of Wearable eco-systems

A technical introduction to the variegated world of wearables — how the form factors and use cases may be very diverse, but there are foundational blueprints (architecturally speaking) that exist in most such programs.

[2] Challenges in developing a secure product.

In this section of the presentation, we talk about the myriad of challenges in planning and developing wearable products, and the shortcomings of the traditional SDL practices.

[3] Securely designing a software

In this section, we discuss the threats and considerations that go into designing a software fitness coach securely. We discuss the assets, adversaries, sensitive data management, and so on.

[4] Ecosystem Security

We talk about how the building blocks of a wearable ecosystem are interconnected and what kind of security threats surface when these pieces come together

[5] Real World problems[ Live demos]

We will use this portion of the presentation to demo some of the real-world vulnerabilities that were discovered by us. Live Demo - Weaknesses in existing wearable standards and in their adoption. Includes hacking a communication protocol used by a fitness tracking device.

[6] Eavesdropping on an Activity Tracker[Live demos]

We deep dive into Bluetooth and BLE Security topics. We live capture the BLE packets of a fitness tracking device and analyze the captured BLE pcap files . Live Demo - We sniff the BLE communication between a smart phone and a fitness device and break the communication by cracking the BLE security keys.

[7] Defense mechanisms

Discussion about how attacks on these wearables can be prevented and what are the defensive steps to be followed in the process of securing these platforms. We also propose a next-generation security development lifecycle best suited for wearables, that incorporate both security and privacy.

Reasons why this material is significant

1. Fitness trackers, smartphones (Android and iOS) and Bluetooth are omnipresent today. Yet, these vulnerabilities lurking around the corners are not discussed and dispositioned enough in the market. We seek to demonstrate how easy it is to use market-available solutions to attack these platforms.

2. Cracking encryption and extracting the encryption key is pretty cool. We think the audience will really love to see an AES key stripped out from a PCAP and printed on the screen.

3. We not only include two demos for attacking BLE systems, but also discuss practical cryptographic approaches that can work in such extreme form factor devices. This will be useful from a practical sense to many attendees who actually work on such technologies in their day jobs.