(c)iStock.com/KyKyPy3HuK

Kaspersky lab security researcher Roman Unuchek has written on how the authentication method in popular smart wristbands allows a third party to connect to the device, execute commands and even extract data.

The worrying findings came after a multiple month investigation, after Unuchek had initially attempted to connect his personal wristband – which remains nameless – and found he could easily connect to his colleague’s Nike+ FuelBand SE.

Using some code already taken from Android’s SDK, in this case an example of an application that connects to Bluetooth Low Energy (BLE) devices, the Kaspersky researcher opened up a new project in Android Studio, pressed Start, a list of services, among a bunch of information, came up meaning he could connect.

After that, Unuchek developed an app which automatically searched for BLE-enabled devices, and found that in two hours on the Moscow underground he could have connected to 19 devices – 11 FitBits and eight Jawbones – and in one hour at a gym in Bellevue 25 devices were on offer.

Unuchek noted that “in most cases” authentication is required in addition to the connection in order to gain access to user data; however this was also overcome through the app.  

He wrote in a SecureList blog post: “Fitness trackers are becoming more popular and offer a wider range of functions. Perhaps in the near future they will contain more sensors and hence much more user information. However the creators of these devices seem to think very little about their safety.”

One of the more disconcerting actions a fraudster could take is to make the user’s wristband vibrate constantly and demand money to make it stop. Similarly, retailers could assess a user’s heartbeat when they are looking at prices in the store, and see how they react to certain advertising.

“Whatever the reason, potential fraudsters have ample opportunity to connect to fitness trackers,” Unuchek added.

Naturally, it’s understandable that such a nascent technology will have security fears. Back in August researchers from Symantec came to a similar conclusion and found they could track users who tracked their lives using fitness or health apps by bodging together a ‘Blueberry Pi’ – a Raspberry Pi, a battery pack, a Bluetooth USB dongle and a 4GB SD card, all costing around $75 in total.

Kaspersky is not divulging the name of the brand due to ethical and security reasons, but recommend if users are concerned to contact the vendor in question and run through the methods outlined.

You can find out more here.

 

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.