In today's issue of "If It Has An Operating System, It Can Be Hacked," consider the lowly fitness band. These popular little wearable devices help keep people active and reaching new goals in their never-ending quest to stave off the big dirt nap for a few more years.
As it turns out, fitness bands may also be not very secure. One researcher discovered how trivially simple it was for him to connect to strangers' wristbands, and how a malefactor could use those methods for evil purposes. Fortunately, there are some easy ways to prevent this from happening to you.
MORE: Best Fitness Trackers
Roman Unuchek, writing on the Securelist blog of Moscow-based information-security company Kaspersky Lab, said it began when he tried to connect the Android Wear app on his smartphone to his brand-new fitness band, but accidentally linked to a coworker's Nike+ Fuel Band SE instead. From there, Unuchek discovered that most fitness bands connect to smartphones using the Bluetooth LE protocol, which does not require a password to pair two devices.
By using the standard Android software development kit (he did not have to program anything new), Unuchek found that he could scan for any Bluetooth LE fitness band in the vicinity and attempt to connect to it. So he created a simple app which automatically starting scanning for Bluetooth LE devices that were ready to talk.
Unuchek performed field tests in the Moscow subway system, at a gym in the tech hub of Bellevue, Washington, and at Kaspersky's own security conference last month in Cancun, Mexico. Over six cumulative hours of scanning, he encountered connectible bands sold by Fitbit, Nike, Jawbone, Microsoft, Polar and Quans, and successfully connected to 54 separate devices. (He found that he had to be within 20 feet of a device to get a connection.)
He also discovered one important thing: It's theoretically impossible to connect to a fitness band if a user's phone is already linked with it. This should keep active users safe, but Unuchek found that he could disrupt the connection between a paired phone and band, giving himself an opportunity to connect with the band instead.
"It could be that the devices I found had never connected to a phone before, or that the wristband was not connected to a smartphone while I was scanning (perhaps the Bluetooth on the phone was disabled)," Unuchek wrote. "However, it could also be that a pre-connected device was still available for connection despite the supposed restriction."
Unuchek added that he disclosed his findings to the maker of his own fitness band, the brand of which he did not identify. The company responded by saying that it considered the flaws he encountered as a user-experience problem, not a security issue.
As for what kind of mischief an attacker could accomplish with this knowledge, it's minimal, for the moment. Since fitness bands generally just track a user's vital signs and habits, it wouldn't do a malefactor much good to know how many calories you've burned or how many hours you've slept.
However, fitness trackers are adding new functions all the time, and bands with built-in GPS tracking systems could reveal where a user works or lives. Unuchek theorizes that tricksters could also make ransomware that causes bands to vibrate until you pay them to stop.
Since Bluetooth LE is not password-enabled, the best thing you can do to protect your fitness band is to make sure it's always linked to your phone when you're out and about. Failing that, you could just work out, eat well, and hope for the best.
- 10 Best Workout Apps
- Scariest Security Threats Headed Your Way: Special Report
- Microsoft Bombs Antivirus Tests Yet Again