Fit and Vulnerable: Attacks and Defenses for a Health Monitoring Device
This addresses security risks for users of health monitoring devices integrated with social networks, though it is incremental as it focuses on a specific system.
The paper identified privacy and security vulnerabilities in Fitbit by reverse engineering its protocol and built FitBite to exploit these for attacks like eavesdropping and financial gain, while proposing FitLock as a lightweight defense with only 2.4% overhead.
The fusion of social networks and wearable sensors is becoming increasingly popular, with systems like Fitbit automating the process of reporting and sharing user fitness data. In this paper we show that while compelling, the integration of health data into social networks is fraught with privacy and security vulnerabilities. Case in point, by reverse engineering the communication protocol, storage details and operation codes, we identified several vulnerabilities in Fitbit. We have built FitBite, a suite of tools that exploit these vulnerabilities to launch a wide range of attacks against Fitbit. Besides eavesdropping, injection and denial of service, several attacks can lead to rewards and financial gains. We have built FitLock, a lightweight defense system that protects Fitbit while imposing only a small overhead. Our experiments on BeagleBoard and Xperia devices show that FitLock's end-to-end overhead over Fitbit is only 2.4%.