Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security flaw found in fitness wristband: Kaspersky

Zafirah Salim | March 27, 2015
According to a Kaspersky study, the authentication method implemented in several popular wristbands allows a third-party to connect invisibly to the device, execute commands, and in some cases – extract data held on the device.

Fitness trackers of all kinds have become extremely popular lately, as the wearable helps people to stay in shape by monitoring their physical activity and calorie intake. However, it is also important to ensure the security of such devices as it also holds important personal information of their users.

According to a study conducted by Roman Unuchek, Senior Malware Analyst at Kaspersky Lab, the authentication method implemented in several popular wristbands allows a third-party to connect invisibly to the device, execute commands, and in some cases - extract data held on the device.

Based on the devices examined, such data was limited to the amount of steps taken by the owner during the previous hour. However, next-generation fitness bands will soon have the capability of collecting a greater volume of more varied data. This means that the risk of sensitive medical data about the owner leaking out could rise significantly.

The rogue connection is made possible due to the way in which the wristband is paired with a smartphone. According to the research, an Android-based device running Android 4.3 or higher - with a special unauthorised app installed - can pair with wristbands from certain vendors.

To establish a connection, users need to confirm the pairing by pressing a button on their wristband. Attackers can easily bypass this as most modern fitness wristbands have no screen displays. When the wristband vibrates, asking its owner to confirm the pairing, the victim has no way of knowing whether they are confirming a connection with their own device or someone else's.

"This Proof of Concept depends on a lot of conditions for it to work properly; and in the end, an attacker wouldn't be able to collect really critical data like passwords or credit card numbers. However, it proves that there is a way for an attacker to exploit mistakes left unpatched by the device developers," said Unuchek.

"The fitness trackers currently available are still fairly dumb, capable of counting steps and following sleep cycles, but little more than that. The second generation of such devices is almost here, and they will be able to gather much more information about users. It is important to think about the security of these devices now, and ensure that there is proper protection for how the tracker interacts with the smartphone," he added.

Other Kaspersky Lab experts advise smart wristband users to check with the vendors to ensure if such a potential attack vector would be possible on their wearable.

 

Sign up for CIO Asia eNewsletters.