TY - GEN
T1 - My smartphone knows your health data
T2 - 9th International Symposium on Cyberspace Safety and Security, CSS 2017
AU - Xie, Jun
AU - Wu, Sha
AU - Li, Yansong
AU - Guo, Jun
AU - Sun, Wen
AU - Liu, Jiajia
N1 - Publisher Copyright:
© 2017, Springer International Publishing AG.
PY - 2017
Y1 - 2017
N2 - Although a number of vulnerabilities have been reported for smart wearables and lots of efforts have been taken to strengthen their security, wearable devices face still significant threats of privacy leakage due to their own inherent characteristics. Towards this end, we re-investigate in this paper the security concerns of smartbands. In particular, we first introduce our detailed methodology for security analysis, including log analysis, Hook technology, and Android reverse engineering. Then, we apply it to popular commercial smartbands of three different brands the concrete information of which is omitted, identify their common vulnerabilities, and develop accordingly a fake Android application (App) utilizing the identified loopholes, given the protection measures of shelling, obfuscation, as well as forcible pairing and resetting. By installing the fake App, we are able to conduct deception attacks against the targeted smartbands, succeeding to remotely activate/deactivate shaking function, to adjust/modify time (including value and format), and to obtain the smartband owner’s sensitive/health data. During our deception attacks, no cooperation from the smartband owner is required, neither the pairing process between the targeted smartbands and our fake App.
AB - Although a number of vulnerabilities have been reported for smart wearables and lots of efforts have been taken to strengthen their security, wearable devices face still significant threats of privacy leakage due to their own inherent characteristics. Towards this end, we re-investigate in this paper the security concerns of smartbands. In particular, we first introduce our detailed methodology for security analysis, including log analysis, Hook technology, and Android reverse engineering. Then, we apply it to popular commercial smartbands of three different brands the concrete information of which is omitted, identify their common vulnerabilities, and develop accordingly a fake Android application (App) utilizing the identified loopholes, given the protection measures of shelling, obfuscation, as well as forcible pairing and resetting. By installing the fake App, we are able to conduct deception attacks against the targeted smartbands, succeeding to remotely activate/deactivate shaking function, to adjust/modify time (including value and format), and to obtain the smartband owner’s sensitive/health data. During our deception attacks, no cooperation from the smartband owner is required, neither the pairing process between the targeted smartbands and our fake App.
KW - Android APP
KW - Commercial smartband
KW - Privacy leakage
KW - Wearable devices
UR - http://www.scopus.com/inward/record.url?scp=85034239105&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-69471-9_22
DO - 10.1007/978-3-319-69471-9_22
M3 - 会议稿件
AN - SCOPUS:85034239105
SN - 9783319694702
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 291
EP - 306
BT - Cyberspace Safety and Security - 9th International Symposium, CSS 2017, Proceedings
A2 - Wu, Wei
A2 - Castiglione, Aniello
A2 - Wen, Sheng
PB - Springer Verlag
Y2 - 23 October 2017 through 25 October 2017
ER -