Assessing pairing and data exchange mechanism security in the wearable internet of things

Kerolos Lotfy, Matthew L. Hale

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Citations (Scopus)

Abstract

The consumer wearable economy is a rapidly growing sector with an ever increasingly number of use cases mostly focused on the quantified self. Whether used for fitness tracking, mobile health monitoring, or as remote controllers for connected smartphone apps, wearables typically come equipped with a wide variety of different sensors such as accelerometers, pulsometors, and thermometers to capture data such as, respectively, the user's movements, heart-rate, and temperature. Once data is captured it is then typically wirelessly transmitted, using Bluetooth LE (low energy) to an awaiting smartphone. Since the data may be sensitive and/or personally identifiable, it is critical that this exchange and the pairing mechanisms used to set up the connection remain secure and resilient to eavesdropping attacks. This paper empirically evaluates the data exchange mechanisms of a variety of major commercial wearable products to determine if, and how well, the products live up to this security constraint. As part of this effort, the work also investigates the three different types of Bluetooth LE pairing strategies at a packet and protocol level. The results show presumably secure pairing strategies have glaring security vulnerabilities that affect all of the devices examined. In addition to this publication, efforts are underway to report these vulnerabilities to US-CERT.

Original languageEnglish (US)
Title of host publicationProceedings - 2016 IEEE International Conference on Mobile Services, MS 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages25-32
Number of pages8
ISBN (Electronic)9781509026258
DOIs
StatePublished - Dec 16 2016
Event2016 IEEE 5th International Conference on Mobile Services, MS 2016 - San Francisco, United States
Duration: Jun 27 2016Jul 2 2016

Publication series

NameProceedings - 2016 IEEE International Conference on Mobile Services, MS 2016

Other

Other2016 IEEE 5th International Conference on Mobile Services, MS 2016
CountryUnited States
CitySan Francisco
Period6/27/167/2/16

Fingerprint

Smartphones
Bluetooth
Electronic data interchange
Thermometers
Accelerometers
Application programs
Data acquisition
Network protocols
Controllers
Monitoring
Sensors
Temperature
Internet of things
mHealth

Keywords

  • Bluetooth
  • Internet of things
  • Man-in-the-middle attacks
  • Pairing
  • Security
  • Vulernability discovery
  • Wearables

ASJC Scopus subject areas

  • Computer Science Applications
  • Computer Networks and Communications

Cite this

Lotfy, K., & Hale, M. L. (2016). Assessing pairing and data exchange mechanism security in the wearable internet of things. In Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016 (pp. 25-32). [7787031] (Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/MobServ.2016.15

Assessing pairing and data exchange mechanism security in the wearable internet of things. / Lotfy, Kerolos; Hale, Matthew L.

Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016. Institute of Electrical and Electronics Engineers Inc., 2016. p. 25-32 7787031 (Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lotfy, K & Hale, ML 2016, Assessing pairing and data exchange mechanism security in the wearable internet of things. in Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016., 7787031, Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016, Institute of Electrical and Electronics Engineers Inc., pp. 25-32, 2016 IEEE 5th International Conference on Mobile Services, MS 2016, San Francisco, United States, 6/27/16. https://doi.org/10.1109/MobServ.2016.15
Lotfy K, Hale ML. Assessing pairing and data exchange mechanism security in the wearable internet of things. In Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016. Institute of Electrical and Electronics Engineers Inc. 2016. p. 25-32. 7787031. (Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016). https://doi.org/10.1109/MobServ.2016.15
Lotfy, Kerolos ; Hale, Matthew L. / Assessing pairing and data exchange mechanism security in the wearable internet of things. Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016. Institute of Electrical and Electronics Engineers Inc., 2016. pp. 25-32 (Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016).
@inproceedings{e86331db35924f4eac88f365e53bcb4c,
title = "Assessing pairing and data exchange mechanism security in the wearable internet of things",
abstract = "The consumer wearable economy is a rapidly growing sector with an ever increasingly number of use cases mostly focused on the quantified self. Whether used for fitness tracking, mobile health monitoring, or as remote controllers for connected smartphone apps, wearables typically come equipped with a wide variety of different sensors such as accelerometers, pulsometors, and thermometers to capture data such as, respectively, the user's movements, heart-rate, and temperature. Once data is captured it is then typically wirelessly transmitted, using Bluetooth LE (low energy) to an awaiting smartphone. Since the data may be sensitive and/or personally identifiable, it is critical that this exchange and the pairing mechanisms used to set up the connection remain secure and resilient to eavesdropping attacks. This paper empirically evaluates the data exchange mechanisms of a variety of major commercial wearable products to determine if, and how well, the products live up to this security constraint. As part of this effort, the work also investigates the three different types of Bluetooth LE pairing strategies at a packet and protocol level. The results show presumably secure pairing strategies have glaring security vulnerabilities that affect all of the devices examined. In addition to this publication, efforts are underway to report these vulnerabilities to US-CERT.",
keywords = "Bluetooth, Internet of things, Man-in-the-middle attacks, Pairing, Security, Vulernability discovery, Wearables",
author = "Kerolos Lotfy and Hale, {Matthew L.}",
year = "2016",
month = "12",
day = "16",
doi = "10.1109/MobServ.2016.15",
language = "English (US)",
series = "Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "25--32",
booktitle = "Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016",

}

TY - GEN

T1 - Assessing pairing and data exchange mechanism security in the wearable internet of things

AU - Lotfy, Kerolos

AU - Hale, Matthew L.

PY - 2016/12/16

Y1 - 2016/12/16

N2 - The consumer wearable economy is a rapidly growing sector with an ever increasingly number of use cases mostly focused on the quantified self. Whether used for fitness tracking, mobile health monitoring, or as remote controllers for connected smartphone apps, wearables typically come equipped with a wide variety of different sensors such as accelerometers, pulsometors, and thermometers to capture data such as, respectively, the user's movements, heart-rate, and temperature. Once data is captured it is then typically wirelessly transmitted, using Bluetooth LE (low energy) to an awaiting smartphone. Since the data may be sensitive and/or personally identifiable, it is critical that this exchange and the pairing mechanisms used to set up the connection remain secure and resilient to eavesdropping attacks. This paper empirically evaluates the data exchange mechanisms of a variety of major commercial wearable products to determine if, and how well, the products live up to this security constraint. As part of this effort, the work also investigates the three different types of Bluetooth LE pairing strategies at a packet and protocol level. The results show presumably secure pairing strategies have glaring security vulnerabilities that affect all of the devices examined. In addition to this publication, efforts are underway to report these vulnerabilities to US-CERT.

AB - The consumer wearable economy is a rapidly growing sector with an ever increasingly number of use cases mostly focused on the quantified self. Whether used for fitness tracking, mobile health monitoring, or as remote controllers for connected smartphone apps, wearables typically come equipped with a wide variety of different sensors such as accelerometers, pulsometors, and thermometers to capture data such as, respectively, the user's movements, heart-rate, and temperature. Once data is captured it is then typically wirelessly transmitted, using Bluetooth LE (low energy) to an awaiting smartphone. Since the data may be sensitive and/or personally identifiable, it is critical that this exchange and the pairing mechanisms used to set up the connection remain secure and resilient to eavesdropping attacks. This paper empirically evaluates the data exchange mechanisms of a variety of major commercial wearable products to determine if, and how well, the products live up to this security constraint. As part of this effort, the work also investigates the three different types of Bluetooth LE pairing strategies at a packet and protocol level. The results show presumably secure pairing strategies have glaring security vulnerabilities that affect all of the devices examined. In addition to this publication, efforts are underway to report these vulnerabilities to US-CERT.

KW - Bluetooth

KW - Internet of things

KW - Man-in-the-middle attacks

KW - Pairing

KW - Security

KW - Vulernability discovery

KW - Wearables

UR - http://www.scopus.com/inward/record.url?scp=85010301225&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85010301225&partnerID=8YFLogxK

U2 - 10.1109/MobServ.2016.15

DO - 10.1109/MobServ.2016.15

M3 - Conference contribution

AN - SCOPUS:85010301225

T3 - Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016

SP - 25

EP - 32

BT - Proceedings - 2016 IEEE International Conference on Mobile Services, MS 2016

PB - Institute of Electrical and Electronics Engineers Inc.

ER -