Abstract
Although a number of vulnerabilities have been reported for smart wearables and lots of efforts have been taken to strengthen their security, wearable devices face still significant threats of privacy leakage due to their own inherent characteristics. Towards this end, we re-investigate in this paper the security concerns of smartbands. In particular, we first introduce our detailed methodology for security analysis, including log analysis, Hook technology, and Android reverse engineering. Then, we apply it to popular commercial smartbands of three different brands the concrete information of which is omitted, identify their common vulnerabilities, and develop accordingly a fake Android application (App) utilizing the identified loopholes, given the protection measures of shelling, obfuscation, as well as forcible pairing and resetting. By installing the fake App, we are able to conduct deception attacks against the targeted smartbands, succeeding to remotely activate/deactivate shaking function, to adjust/modify time (including value and format), and to obtain the smartband owner’s sensitive/health data. During our deception attacks, no cooperation from the smartband owner is required, neither the pairing process between the targeted smartbands and our fake App.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chen, K., Wang, P., Lee, Y., Wang, X., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown malice in 10 seconds: mass vetting for new threats at the google-play scale. In: USENIX Security, pp. 659–674 (2015)
Cisco: Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2016–2021 White Paper (2017)
Hu, W., Tao, J., Ma, X., Zhou, W., Zhao, S., Han, T.: MIGDroid: detecting app-repackaging android malware via method invocation graph. In: IEEE International Conference on Computer Communication and Networks (ICCCN), pp. 1–7 (2014)
Huang, H., Zhu, S., Liu, P., Wu, D.: A framework for evaluating mobile app repackaging detection algorithms. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) Trust 2013. LNCS, vol. 7904, pp. 169–186. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38908-5_13
Lee, M., Lee, K., Shim, J., Cho, S., Choi, J.: Security threat on wearable services: empirical study using a commercial smartband. In: IEEE International Conference on Consumer Electronics-Asia (ICCE-Asia), pp. 1–5 (2016)
Liu, X., Zhou, Z., Diao, W., Li, Z., Zhang, K.: When good becomes evil: keystore inference with smartwatch. In: ACM CCS, pp. 1273–1285 (2015)
Miluzzo, E., Varshavsky, A., Balakrishnan, S., Choudhury, R.R.: Tapprints: your finger taps have fingerprints. In: ACM MobiSys, pp. 323–336 (2012)
Pan, X., Ling, Z., Pingley, A., Yu, W., Zhang, N., Fu, X.: How privacy leaks from bluetooth mouse? In: ACM CCS, pp. 1013–1015 (2012)
Ren, Y., Chen, Y., Chuah, M.C., Yang, J.: User verification leveraging gait recognition for smartphone enabled mobile healthcare systems. IEEE Trans. Mobile Comput. 14(9), 1961–1974 (2014)
Ryan, M.: Bluetooth: with low energy comes low security. In: USENIX WOOT, p. 4 (2013)
Sherman, M., Clark, G., Yang, Y., Sugrim, S., Modig, A., Lindqvist, J., Oulasvirta, A., Roos, T.: User-generated free-form gestures for authentication: security and memorability. In: ACM Mobisys, pp. 176–189 (2014)
Spill, D., Bittau, A.: Bluesniff: eve meets alice and bluetooth. In: USENIX WOOT, pp. 1–10 (2007)
Wang, C., Guo, X., Wang, Y., Chen, Y., Liu, B.: Friend or foe? Your wearable devices reveal your personal PIN. In: ACM ASIA CCS, pp. 189–200 (2016)
Wang, H., Lai, T.T.T., Choudhury, R.R.: Mole: motion leaks through smartwatch sensors. In: ACM MobiCom, pp. 155–166 (2015)
Zheng, X., Pan, L., Yilmaz, E.: Security analysis of modern mission critical android mobile applications. In: ACM ACSW (2017)
Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: ACM CODASPY, pp. 317–326 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Xie, J., Wu, S., Li, Y., Guo, J., Sun, W., Liu, J. (2017). My Smartphone Knows Your Health Data: Exploiting Android-Based Deception Attacks Against Smartbands. In: Wen, S., Wu, W., Castiglione, A. (eds) Cyberspace Safety and Security. CSS 2017. Lecture Notes in Computer Science(), vol 10581. Springer, Cham. https://doi.org/10.1007/978-3-319-69471-9_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-69471-9_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69470-2
Online ISBN: 978-3-319-69471-9
eBook Packages: Computer ScienceComputer Science (R0)