Presentation Material
Abstract
Consumer IoT devices manifest in a variety of forms today, including fitness trackers, rings, smart-watches, pacemakers, and so on. The wearable IoT market is dominated by small and medium-sized business, who are often in a rush to hit the shelves before their competitors, and trivialize the need for security in the bargain, citing no “return on investment”.
In our presentation, we deep-dive into the wireless protocol of choice for wearables - Bluetooth Low Energy (BLE), and its impact from a security perspective. We use a USB-based bluetooth hacking hardware board called Ubertooth-One to analyze popular market products, and also perform a live demo on stealing information from a fitness tracker using standard Android app development practices. We wrap up with a discussion on simple cryptographic approaches and BLE-hardening mechanisms to prevent such attacks on wearable and IoT platforms.
AI Generated Summary
This talk examined security vulnerabilities in Bluetooth Low Energy (BLE) communications within the mobile and wearable IoT ecosystem. The research highlighted a fundamental flaw in the trust model: wearable devices trust all applications on a paired smartphone, allowing a malicious app with standard Bluetooth permissions to sniff unencrypted application-layer data after BLE’s Long Term Key (LTK) decryption occurs at the OS level.
Two attack demonstrations were presented. First, a custom malware app on an Android phone successfully intercepted and extracted sensitive data like step counts, calories, and heart rate from a fitness tracker by listening to BLE characteristics. Second, an over-the-air attack using the Ubertooth tool and Wireshark captured BLE traffic. For devices using weak “Just Works” pairing (default PIN 000000), the Crackle tool could brute-force the temporary key, derive the LTK, and decrypt the BLE packets. Even devices with LTK encryption were vulnerable if they relied solely on BLE security without additional application-layer protection.
The core finding is that BLE’s LTK encryption alone is insufficient. The proposed solution is implementing application-specific encryption between the wearable device and its legitimate companion app. This ensures that even if BLE traffic is intercepted or a malware app is present, the data remains encrypted and inaccessible without the app-specific key. The talk concluded that robust IoT security requires integrating privacy and security measures, including such layered encryption, throughout the entire development lifecycle and CI/CD pipeline, addressing device, mobile, protocol, and cloud components collectively.