A few recent articles described privacy issues in the connectivity mechanisms of fitness devices1. This post offers some design suggestions to avoid structuring a product that later will fall in a bad category if audited by 3rd parties for privacy and security.
A significant portion of the article deal with privacy issues relate the Media Access Control (MAC) addresses. As a Bluetooth Smart device exchanges packets with a smartphone, they must identify themselves using a unique number: the MAC address. This addressing is the basis of the wireless exchanges. This address, if it remains the same over long periods of time, will eventually allow external monitors to identify the wearer of the device by correlating information. If every morning one passes in front of a coffee shop, a monitoring system will recognize the MAC signature and therefore could be correlated with a camera feed and then someone could easily have a good identification method to detect the approach of that user in other areas of the city.
An approach to solve this privacy problem is called MAC address randomization. The Bluetooth Smart device will change its MAC address periodically by internally generating a new random identifier for its radio. This happens every 15 minutes on many modern systems.
Thus if on Monday, someone visits a shopping mall and passes near a Bluetooth monitor with a certain MAC address, that same person coming again the next day will not be carrying the same identification and that will make it harder for a system to automatically link the wearable to a given person.
Unfortunately, a smartphone with Wifi open and attempting to connect to hotspots may leave specific traces of the person in the same manner as Bluetooth Smart. The WiFi packets also carry identifying information (also called MAC address). Therefore, the blame cannot be all put on wearables for privacy issues. Someone concern about their privacy should consider all devices as a potential source of signatures. Cellular phone can also be tracked quite precisely as they constantly exchange with the provider's tower.
The details on the methods to increase the privacy are discussed on the Bluetooth SIG in the
Protecting Your Privacy article.
Protecting the data between the fitness tracker and the application
The fitness tracker will send its information to the application in Bluetooth Smart systems using a protocol called the the Generic Attribute Profile (GATT). Those attributes are then sent over the link. For example, step count and walk cadence can be exchanged between the fitness tracker and the server using a standard profile.
Someone could emulate a fitness tracker by replicating the attributes of a given device and fake steps or similar activity. If the fitness tracker was to be used to motivate someone to do exercise, then one wonders why someone would to to such length to avoid exercises... If the tracker is to be used by insurance companies to calculate premiums, then protecting the data stream from faked information becomes another matter altogether.
A few ways exist at the sytem level to avoid emulation by using the concept of electronic signature. If a tally of the step counts over a day is digitally signed by the fitness tracker using a cryptographic method (e.g. SHA), then it becomes a lot more difficult to inject false steps or activity since the server would be able to tell that the data was not signed by a genuine device.
For the really paranoid special ICs have the ability to hold a secret key inside that is very robust to tampering, costs a few cents and will ensure that some data structures initiated from the device are properly signed.
The device like Atmel CryptoAuthentication SHA-256 can provide such solution in a manner that would make it very difficult to justify attempting to fake the sports activity, due to the expense and added complexity.
Protecting the data between the application and the server
The application in the smartphone also needs to protect against attacks. However if the fitness tracker has the ability to sign its information, then other attacks within the system may not work. Only if the attacker manages to get the private key from the fitness tracker can he fool the server.
The certificate pinning process could be bypassed through elaborate means.
Encrypting the data
Encrypting aggregate data (e.g. number of steps cumulated during the day) and sending this information to a server would lead to a solution that is difficult to attack. One of the reason is that this encrypted packet from the fitness tracker to the server would look like random binary data to an observer. One needs to be careful to properly structure the encryption (salting and initialisation vectors are important concepts to understand). Once protected by encryption, the fitness data would be protected both from prying eyes (as only the server could make sense of the data) and also avoid scams.
Again, some ICs can ensure that the key used to encrypt the data is well protected inside the fitness device.
Encryption has the drawback that it completely hides the data from intermediates. Storing the decryption key within the app is not that safe as it could be recovered by an attacker. Storing the key on the server is safer, but everyone in the intermediate chain (app, 3rd party developpers) will not be able to use the data.
System-level Compromises and Complexity
As with any system, the more levels of protection one adds, the more complex the system becomes. If data is encrypted or digitally signed, then some provisions in the firmware (code running on the fitness device) needs to be developped, tested. Security audits may also be required to ensure that the system stands the review of external scrutiny. We feel that early fitness tracking devices that did poorly in the report did not have the luxury to do in-depth planning of security and privacy features of their devices. The market is very aggressive and sometimes, decisions are done to gain market share, not considering the long-term consequences of the extended use of the devices the market will find.
There is no easy way to completely prevent fitness trackers to being cheated even if the protocols are made very robust. Someone could build a small motorized contraption that you attach the tracker and fake steps all day long.
The research article can be found here: https://www.documentcloud.org/documents/2702048-Open-Effect-Report-Every-Step-You-Fake-version03.html ↩
Motsai designs and builds innovative embedded systems, and is the leading Canadian developer of miniature low-power, wireless devices used in wearables and human motion analysis. Please feel free to send us an email at firstname.lastname@example.org or drop us a line at +1-888 -849-6956. Don't forget to signup for blog updates below.