March 26, 2015

Insecure Wearables: Kaspersky Lab Researcher Discovers Security Issue in His Fitness Wristband

Kaspersky Lab researcher has examined how a number of fitness wristbands interact with a smartphone and discovered some surprising results.

Fitness trackers of all kinds have become extremely popular, helping people to manage their physical activity and calorie intake and stay in shape. However, such devices also process important personal data about their owners and it is important to keep it secure. Kaspersky Lab researcher Roman Unuchek has examined how a number of fitness wristbands interact with a smartphone and discovered some surprising results.

According to his research findings, the authentication method implemented in several popular smart wristbands allows a third-party to connect invisibly to the device, execute commands, and – in some cases – extract data held on the device. In the devices investigated by the Kaspersky Lab researcher, such data was limited to the amount of steps taken by the owner during the previous hour. However, in the future, when next-generation fitness bands capable of collecting a greater volume of more varied data appear on the market, the risk of sensitive medical data about the owner leaking out could raise significantly.

The rogue connection is made possible because of the way in which the wristband is paired with a smartphone. According to the research, an Android-based device running Android 4.3 or higher, with a special unauthorized app installed can pair with wristbands from certain vendors. To establish a connection users need to confirm the pairing by pressing a button on their wristband. Attackers can easily overcome this, because most modern fitness wristbands have no screen. When the wristband vibrates asking its owner to confirm the pairing the victim has no way of knowing whether they are confirming a connection with their own device or someone else’s.

“This Proof of Concept depends on a lot of conditions for it to work properly, and in the end an attacker wouldn’t be able to collect really critical data like passwords or credit card numbers. However it proves that there is a way for an attacker to exploit mistakes left unpatched by the device developers. The fitness trackers currently available are still fairly dumb, capable of counting steps and following sleep cycles, but little more than that. But the second generation of such devices is almost here, and they will be able to gather much more information about users. It is important to think about the security of these devices now, and ensure that there is proper protection for how the tracker interacts with the smartphone,” - said Roman Unuchek, Senior Malware Analyst at Kaspersky Lab.

Kaspersky Lab experts advise users of smart wristbands who are concerned about the security of their device to check with the wristband’s vendors whether such a potential attack vector would be possible on their product.

Read more about the research performed by Roman Unuchek in his article on Securelist.com.

Articles related to Virus News

  • Android Ransomware: Four-fold Increase in Number of Users Attacked in One Year

    The number of users attacked by ransomware targeting Android-based devices has increased four-fold in just one year, hitting at least 136,000 users globally. A report on the ransomware threat landscape, conducted by Kaspersky Lab, also found that the majority of attacks are based on only four groups of malware. The report covers a full two-year period which, for reasons of comparison, has been divided into two parts of 12 months each: from April 2014 to March 2015, and April 2015 to March 2016. These particular timescales were chosen because they witnessed several significant changes in the mobile ransomware threat landscape.

    >
  • Damage to Customer Trust and Corporate Reputation are Among the Most Harmful Consequences of DDoS Attacks

    The consequences of a Distributed Denial of Service (DDoS) attack extend far beyond financial considerations. These attacks damage a company’s relationship with its customers, according to the research from Kaspersky Lab and B2B International.

    >
  • Kaspersky Lab Discovers Important Vulnerability in Popular Energy Equipment

    While performing a security assessment for one of its clients in the critical infrastructure sector, the Kaspersky Lab Security Services team discovered an important vulnerability. The CVE-2016-4785 vulnerability could allow an attacker to remotely obtain a limited amount of device memory content from relay protection equipment. The vulnerability was reported to Siemens, the equipment vendor, and has already been patched.

    >