Fitness tracker wearables of all kinds have become extremely popular, helping people to manage their physical activity and calorie intake so as to stay healthy. Such devices process vital personal data from the users' devices and it is important to keep them secure.
Senior Malware Researcher at Kaspersky Lab, Roman Unuchek, has examined how a number of fitness wristbands interact with a smartphone, and discovered some surprising results.
According to his research, the authentication method in several popular fitness wearables allows a third party app to connect invisibly to the device, execute commands, and, in some cases, extract data from the device. In the devices investigated by the Kaspersky Lab researcher, such data was limited to the amount of steps taken by the user during the previous hour. However, next-generation fitness bands will be capable of collecting a greater volume of more varied data, significantly increasing the risk of sensitive medical data about the user leaking out.
The rogue connection is made possible because of the way in which the wristband is paired with a smartphone. According to the research, an Android-based device running on Android 4.3 or higher, with an unauthorised app installed, can pair with wristbands from certain vendors. To establish a connection, users need to confirm the pairing by pressing a button on their wristbands. Attackers can easily overcome this, because numerous fitness wearables sacrifice the display for making it affordable.
When the wristband vibrates, asking its user to confirm the pairing, the victim has no way of knowing whether they are confirming a connection with their own device or someone else's.
"This Proof of Concept depends on a lot of conditions for it to work properly, and in the end an attacker wouldn't be able to collect really critical data like passwords or credit card numbers. However it proves that there is a way for an attacker to exploit mistakes left unpatched by the device developers. The fitness trackers currently available are still fairly dumb, capable of counting steps and following sleep cycles, but little more than that. But the second generation of such devices is almost here, and they will be able to gather much more information about users. It is important to think about the security of these devices now, and ensure that there is proper protection for how the tracker interacts with the smartphone," said Roman Unuchek.
