Are Fitness Bands Secure? There’s More to It Than Just the Clasp!

August 15, 2016
co-authored by Shari Craig
2 min read

As we strive to become more health-conscious, fitness bands have exploded on the world market. Millions of individuals strap on a fitness band each day. We monitor, compare and compete with ourselves and a community of like-minded individuals. Data including the number of steps taken daily, calories burned, heart rate and even our sleep patterns are wirelessly transmitted to our smartphones or computers. But is our data secure?

Low Energy Equals Low Security

There are a few security concerns with fitness bands, and for that matter, any Internet of Things (IoT) device that uses Bluetooth 4.0 VLE, or Very Low Energy.

A key exchange encryption protocol was created specifically for Bluetooth 4.0 VLE. It meets its design goal for using very little energy, but it can be easily compromised. The session encryption protocol uses AES-CCM, a well-known and very secure protocol. Due to the limitations of the key exchange, however, it is relatively simple to become a man-in-the-middle by brute-force attacking the temporary key (TK) because the key exchange is performed in cleartext.

A core i7 processor can guess all possible combinations of the key pair in a single second. Once in communication via the TK, the protocol is followed to negotiate the short-term key (STK) and finally the long-term key (LTK). An attack must begin at the initial pairing. However, it is also simple to jam a session and force a new paring (key exchange) session to start.

The range on Bluetooth 4.0 VLE can be as high as 100 feet, so the sniffing device need not be right by your side. That jogger running 50 feet behind you could be intercepting your data transfer from your fitness band to your phone.

A Treasure Trove of Data

Aside from your name and age, there is an immense amount of personal information attached to your fitness tracker account. GPS data regarding your home address, current location and daily running route could lead to issues of personal safety. If your tracker is linked to your Facebook or Twitter account, even more information regarding your personal life and preferences becomes available to multiple parties.

This information has proven valuable to companies screening new hires and business partners. Information regarding your daily calorie intake and diet as well as your regular exercise level could also be extremely valuable to a health or life insurance company seeking to rewrite policy coverage and decrease profit loss.

Data has become immensely valuable in framing the future of health care and many other industries. Companies with vast banks of data are being purchased for their knowledge potential. Even unstructured data is becoming more valuable since technology can analyze it more rapidly and draw correlatives that were never before possible. In light of this, health care data is currently very valuable on the Dark Web.

Best Practices for Fitness Bands

How do you protect yourself and your private data?

The simplest thing to do is to turn the Bluetooth feature on your phone off until you are home or in a safe environment. Most fitness bands can store a day or more of fitness data. Sync your band and phone once a day, away from potential threats. This keeps your data from being intercepted during unprotected transfers.

One additional benefit: You might experience improved battery life on your phone by only enabling Bluetooth when you actually need it.

Alan Sizemore
Associate Partner Global Security CoC, IBM

Alan has over 25 years in the technology industry from PC technician to CIO. He is currently focused on Security Intelligence and Operational Consulting. Ala...
read more