My smartphone knows your health data: Exploiting android-based deception attacks against smartbands

Abstract

Although a number of vulnerabilities have been reported for smart wearables and lots of efforts have been taken to strengthen their security, wearable devices face still significant threats of privacy leakage due to their own inherent characteristics. Towards this end, we re-investigate in this paper the security concerns of smartbands. In particular, we first introduce our detailed methodology for security analysis, including log analysis, Hook technology, and Android reverse engineering. Then, we apply it to popular commercial smartbands of three different brands the concrete information of which is omitted, identify their common vulnerabilities, and develop accordingly a fake Android application (App) utilizing the identified loopholes, given the protection measures of shelling, obfuscation, as well as forcible pairing and resetting. By installing the fake App, we are able to conduct deception attacks against the targeted smartbands, succeeding to remotely activate/deactivate shaking function, to adjust/modify time (including value and format), and to obtain the smartband owner’s sensitive/health data. During our deception attacks, no cooperation from the smartband owner is required, neither the pairing process between the targeted smartbands and our fake App.