Abstract
Wearable devices have recently become popular, and more and more people now buy and wear these devices to obtain health-related services. However, as wearable device technology quickly advances, its security cannot keep up with the speed of its development. As a result, it is highly likely for the devices to have severe vulnerabilities. Moreover, because these wearable devices are usually light-weight, they delegate a large portion of their operations as well as permissions to a software gateways on computers or smartphones, which put users at high risk if there are vulnerabilities in these gateways. In order to validate this claim, we analyzed three devices as a case study and found a total 17 vulnerabilities in them. We verified that an adversary can utilize these vulnerabilities to compromise the software gateway and take over a victim’s computers and smartphones. We also suggest possible mitigation to improve the security of wearable devices.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cain & Abel. http://www.oxid.it/cain.html. Accessed 8 June 2015
Redacted to protect the device
Al-Muhtadi, J., Mickunas, D., Campbell, R.: Wearable security services. In: 2001 International Conference on Distributed Computing Systems Workshopp, pp. 266–271. IEEE (2001)
Alves, T., Felton, D.: TrustZone: Integrated hardware and software security. ARM White Pap. 3(4), 18–24 (2004)
Avgerinos, T., Cha, S.K., Hao, B.L.T., Brumley, D.: AEG: automatic exploit generation. In: NDSS, vol. 11, pp. 59–66 (2011)
Barcena, M.B., Wueest, C., Lau, H.: How safe is your quantified self. Symantech, Mountain View (2014)
Campbell, R.H., Al-Muhtadi, J., Naldurg, P., Sampemane, G., Mickunas, M.D.: Towards security and privacy for pervasive computing. In: Okada, M., Babu, C.S., Scedrov, A., Tokuda, H. (eds.) ISSS 2002. LNCS, vol. 2609, pp. 1–15. Springer, Heidelberg (2003)
Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 380–394. IEEE (2012)
Combs, G., et al.: Wireshark, pp. 12–02 (2007). http://www.wireshark.org/lastmodified
Costin, A., Zaddach, J., Francillon, A., Balzarotti, D., Antipolis, S.: A large-scale analysis of the security of embedded firmwares. In: USENIX Security Symposium (2014)
Davidson, D., Moench, B., Ristenpart, T., Jha, S.: FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution. In: USENIX Security, pp. 463–478 (2013)
Davis, D.L.: Secure boot , US Patent 5,937,063 (1999)
Di Pietro, R., Mancini, L.V.: Security and privacy issues of handheld and wearable wireless devices. Commun. ACM 46(9), 74–79 (2003)
Eagle, C.: The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, San Francisco (2011)
Freke, J.: Smali. https://code.google.com/p/smali. Accessed 7 June 2015
Grand, J.: JTAGulator: assisted discovery of on-chip debug interfaces. In: 21st DefCon Conference, Las Vegas (2013)
Ossmann, M.: Project ubertooth, p. 23 (2012). Accessed 18 Nov 2012
Pan, B.: dex2jar. https://github.com/pxb1988/dex2jar. Accessed 7 June 2015
Ryan, M.: Bluetooth: with low energy comes low security. In: WOOT (2013)
SEGGE: Debug Probes - J-Link and J-Trace. https://www.segger.com/jlink-debug-probes.html. Accessed 6 June 2015
Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In: NDSS (2015)
Stables, J.: Best fitness trackers 2015: Jawbone. Misfit, Fitbit, Garmin and more, April 2015. http://www.wareable.com/fitness-trackers/the-best-fitness-tracker
Statista: Wearable device market value from 2010 to 2018 (2015). http://www.statista.com/statistics/259372/wearable-device-market-value. Accessed 9 June 2015
Tumbleson, C., Wisniewski, R.: Apktool. http://ibotpeaches.github.io/Apktool. Accessed 7 June 2015
Wikipedia: Joint test action group – wikipedia, the free encyclopedia (2015). http://en.wikipedia.org/w/index.php?title=Joint_Test_Action_Group&oldid=663324599. Accessed 5 June 2015
Wikipedia: Universal asynchronous receiver/transmitter – wikipedia, the free encyclopedia (2015). http://en.wikipedia.org/w/index.php?title=Universal_asynchronous_receiver/transmitter&oldid=663120875. Accessed 5 June 2015
Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: Avatar: a framework to support dynamic security analysis of embedded systems firmwares. In: Symposium on Network and Distributed System Security (NDSS) (2014)
Zaddach, J., Costin, A.: Embedded devices security and firmware reverse engineering. Black-Hat USA (2013)
Acknowledgement
This research was supported by (1) Next-Generation Information Computing Development Program through the NRF (National Research Foundation of Korea) funded by the MSIP (Ministry of Science, ICT and Future Planning) (No. NRF-2014M3C4A7030648), Korea, and by (2) the MSIP, Korea, under the ITRC (Information Technology Research Center) support program (IITP-2015-R0992-15-1006) supervised by the IITP (Institute for Information and Communications Technology Promotion).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Kim, D., Park, S., Choi, K., Kim, Y. (2016). BurnFit: Analyzing and Exploiting Wearable Devices. In: Kim, Hw., Choi, D. (eds) Information Security Applications. WISA 2015. Lecture Notes in Computer Science(), vol 9503. Springer, Cham. https://doi.org/10.1007/978-3-319-31875-2_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-31875-2_19
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31874-5
Online ISBN: 978-3-319-31875-2
eBook Packages: Computer ScienceComputer Science (R0)