Abstract
Wearable devices such as smartwatches, fitness trackers, and blood-pressure monitors process, store, and communicate sensitive and personal information related to the health, life-style, habits and interests of the wearer. This data is typically synchronized with a companion app running on a smartphone over a Bluetooth (Classic or Low Energy) connection. In this work, we investigate what can be inferred from the metadata (such as the packet timings and sizes) of encrypted Bluetooth communications between a wearable device and its connected smartphone. We show that a passive eavesdropper can use traffic-analysis attacks to accurately recognize (a) communicating devices, even without having access to the MAC address, (b) human actions (e.g., monitoring heart rate, exercising) performed on wearable devices ranging from fitness trackers to smartwatches, (c) the mere opening of specific applications on a Wear OS smartwatch (e.g., the opening of a medical app, which can immediately reveal a condition of the wearer), (d) fine-grained actions (e.g., recording an insulin injection) within a specific application that helps diabetic users to monitor their condition, and (e) the profile and habits of the wearer by continuously monitoring her traffic over an extended period. We run traffic-analysis attacks by collecting a dataset of Bluetooth communications concerning a diverse set of wearable devices, by designing features based on packet sizes and timings, and by using machine learning to classify the encrypted traffic to actions performed by the wearer. Then, we explore standard defense strategies against traffic-analysis attacks such as padding, delaying packets, or injecting dummy traffic. We show that these defenses do not provide sufficient protection against our attacks and introduce significant costs. Overall, our research highlights the need to rethink how applications exchange sensitive information over Bluetooth, to minimize unnecessary data exchanges, and to research and design new defenses against traffic-analysis tailored to the wearable setting.
Publisher
Association for Computing Machinery (ACM)
Subject
Computer Networks and Communications,Hardware and Architecture,Human-Computer Interaction
Reference96 articles.
1. 2015. London's black cabs are to be fitted with Bluetooth enabled beacon technology. https://www.thedrum.com/news/2015/09/07/london-s-black-cabs-are-be-fitted-bluetooth-enabled-beacon-technology-. Accessed: 2020-09-20. 2015. London's black cabs are to be fitted with Bluetooth enabled beacon technology. https://www.thedrum.com/news/2015/09/07/london-s-black-cabs-are-be-fitted-bluetooth-enabled-beacon-technology-. Accessed: 2020-09-20.
2. 2016. Proxbook: Proximity Marketing in Airports and Transportation. https://unacast.s3.amazonaws.com/Proxbook_Report_Q3_2016.pdf. Accessed: 2020-09-20. 2016. Proxbook: Proximity Marketing in Airports and Transportation. https://unacast.s3.amazonaws.com/Proxbook_Report_Q3_2016.pdf. Accessed: 2020-09-20.
3. 2018. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. https://www.fda.gov/media/119933/download. Accessed: 2020-06-29. 2018. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. https://www.fda.gov/media/119933/download. Accessed: 2020-06-29.
4. 2018. Google can still use Bluetooth to track your Android phone when Bluetooth is turned off. https://qz.com/1169760/phone-data/. Accessed: 2020-03-05. 2018. Google can still use Bluetooth to track your Android phone when Bluetooth is turned off. https://qz.com/1169760/phone-data/. Accessed: 2020-03-05.
5. 2019. Carriers selling your location to bounty hunters: it was worse than we thought. https://www.theverge.com/2019/2/6/18214667/att-t-mobile-sprint-location-tracking-data-bounty-hunters. Accessed: 2020-03-05. 2019. Carriers selling your location to bounty hunters: it was worse than we thought. https://www.theverge.com/2019/2/6/18214667/att-t-mobile-sprint-location-tracking-data-bounty-hunters. Accessed: 2020-03-05.
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Cybersecurity in Fitness Devices-A Systematic Literature Review;2023 International Conference on Smart Applications, Communications and Networking (SmartNets);2023-07-25
2. A Survey of Public IoT Datasets for Network Security Research;IEEE Communications Surveys & Tutorials;2023
3. A Survey of Traffic Obfuscation Technology for Smart Home;2022 International Wireless Communications and Mobile Computing (IWCMC);2022-05-30