Fitness wearables vulnerable to data exfiltration

The significant volumes of personal data generated by wearable fitness trackers is rarely considered by its owners, but as the volumes and variety of data grow in next generation devices, vulnerability of sensitive medical data to leakage could become a cause for concern.

Researching wristbands that interact with a smartphone, Kaspersky Lab researcher Roman Unuchek found that authentication for many smart wristbands allows a third-party to connect invisibly to the device, execute commands, and – in some cases – extract data held on the device.

A smartphone running Android 4.3 or higher, with a special unauthorised app installed can be used to pair with wristbands from certain vendors. Users confirm the pairing by pressing a button on their wristband. As most fitness wristbands have no screen,  when the wristband vibrates asking its owner to confirm the pairing, the victim has no way of knowing whether they are confirming a connection with their own device or someone else's.

“This Proof of Concept depends on a lot of conditions for it to work properly, and in the end an attacker wouldn't be able to collect really critical data like passwords or credit card numbers. However it proves that there is a way for an attacker to exploit mistakes left unpatched by the device developers. The fitness trackers currently available are still fairly dumb, capable of counting steps and following sleep cycles, but little more than that. 

"But the second generation of such devices is almost here, and they will be able to gather much more information about users. It is important to think about the security of these devices now, and ensure that there is proper protection for how the tracker interacts with the smartphone,”  said Roman Unuchek, senior malware analyst at Kaspersky Lab in a statement to press.