Speaker: Professor Paul Patras, School of Informatics, University of Edinburgh
Title: "The Perils (and Potential) of Fitness Tracking Systems"
Abstract: We are increasingly drawn towards making personal discoveries and
lifestyle adjustments, using data captured by wearable and mobile
devices. As a result, fitness tracking has become a lucrative
industry with a global market value expected to reach circa $62
billion by 2023. Given the sensitive nature and often monetary worth
of the data wearables collect, it is imperative to ensure record
authenticity, secure device operation, and user privacy. In this
talk, we will take a look at the security and privacy properties
of a market-leading fitness tracking ecosystem. I will reveal how
sensitive personal information gathered by such devices could be
extracted in human-readable format and demonstrate that malicious
users can inject fabricated activity records to obtain personal
benefits. I will also discuss how attackers can exploit weaknesses
in the communications protocol to connect to nearby victim trackers
and subsequently exfiltrate fitness data. Further, I will show that
tracker software updating can be compromised and the code running
on devices within wireless range can be modified without consent.
Finally, I will discuss how the official smartphone app could be
modified to subvert the vendor's cloud and redirect activity reports
to potential healthcare providers chosen by the user. Although the
majority of the vulnerabilities identified have been patched, the
lessons learned apply to other Internet of Things applications,
where the smartphone mediates between the user device and the
tracking service.