LAYING THE GROUNDWORK: FITNESS TRACKER SECURITY FOR USE BY DEPARTMENT OF THE NAVY PERSONNEL

Abstract

Bluetooth-capable Internet of Things devices have become prevalent within modern society and continuous connectivity has become an expectation. Recently, wearable fitness trackers have been authorized for use by service members while in uniform. The objective of this work was to determine if vulnerabilities persist in fitness trackers and if their ecosystems render them a security risk to the Department of Defense. The devices selected for this study were readily available, low-cost products, spanning several vendors. Five device models were selected from among the following vendors: Huawei, Amazfit, Garmin, and Fitbit. These devices use Bluetooth to transmit sensitive data to the paired central device. This Bluetooth traffic was captured from two separate perspectives, through passive eavesdropping and directly from the central device. This Bluetooth traffic was captured from two perspectives. The traffic was captured passively, using Project Ubertooth, and actively, logged on the central device, as the devices conducted pairing and various feature invocations. The resulting packet capture files were analyzed to determine vendor-specific security implementation and to determine susceptibility to attack. Three of the five devices studied, those from Huawei and Amazfit, utilized no Bluetooth security features. They did not conduct pairing and routinely operated in the most vulnerable stage of Bluetooth communication. This poses significant risk to the user.