As we strive to become more health-conscious, fitness bands have exploded on the world market. Millions of individuals strap on a fitness band each day. We monitor, compare and compete with ourselves and a community of like-minded individuals. Data including the number of steps taken daily, calories burned, heart rate and even our sleep patterns are wirelessly transmitted to our smartphones or computers. But is our data secure?

Low Energy Equals Low Security

There are a few security concerns with fitness bands, and for that matter, any Internet of Things (IoT) device that uses Bluetooth 4.0 VLE, or Very Low Energy.

A key exchange encryption protocol was created specifically for Bluetooth 4.0 VLE. It meets its design goal for using very little energy, but it can be easily compromised. The session encryption protocol uses AES-CCM, a well-known and very secure protocol. Due to the limitations of the key exchange, however, it is relatively simple to become a man-in-the-middle by brute-force attacking the temporary key (TK) because the key exchange is performed in cleartext.

A core i7 processor can guess all possible combinations of the key pair in a single second. Once in communication via the TK, the protocol is followed to negotiate the short-term key (STK) and finally the long-term key (LTK). An attack must begin at the initial pairing. However, it is also simple to jam a session and force a new paring (key exchange) session to start.

The range on Bluetooth 4.0 VLE can be as high as 100 feet, so the sniffing device need not be right by your side. That jogger running 50 feet behind you could be intercepting your data transfer from your fitness band to your phone.

A Treasure Trove of Data

Aside from your name and age, there is an immense amount of personal information attached to your fitness tracker account. GPS data regarding your home address, current location and daily running route could lead to issues of personal safety. If your tracker is linked to your Facebook or Twitter account, even more information regarding your personal life and preferences becomes available to multiple parties.

This information has proven valuable to companies screening new hires and business partners. Information regarding your daily calorie intake and diet as well as your regular exercise level could also be extremely valuable to a health or life insurance company seeking to rewrite policy coverage and decrease profit loss.

Data has become immensely valuable in framing the future of health care and many other industries. Companies with vast banks of data are being purchased for their knowledge potential. Even unstructured data is becoming more valuable since technology can analyze it more rapidly and draw correlatives that were never before possible. In light of this, health care data is currently very valuable on the Dark Web.

Best Practices for Fitness Bands

How do you protect yourself and your private data?

The simplest thing to do is to turn the Bluetooth feature on your phone off until you are home or in a safe environment. Most fitness bands can store a day or more of fitness data. Sync your band and phone once a day, away from potential threats. This keeps your data from being intercepted during unprotected transfers.

One additional benefit: You might experience improved battery life on your phone by only enabling Bluetooth when you actually need it.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read