BurnFit: Analyzing and Exploiting Wearable Devices

Wearable devices have recently become popular, and more and more people now buy and wear these devices to obtain health-related services. However, as wearable device technology quickly advances, its security cannot keep up with the speed of its development. As a result, it is highly likely for the devices to have severe vulnerabilities. Moreover, because these wearable devices are usually light-weight, they delegate a large portion of their operations as well as permissions to a software gateways on computers or smartphones, which put users at high risk if there are vulnerabilities in these gateways. In order to validate this claim, we analyzed three devices as a case study and found a total 17 vulnerabilities in them. We verified that an adversary can utilize these vulnerabilities to compromise the software gateway and take over a victim's computers and smartphones. We also suggest possible mitigation to improve the security of wearable devices.

[1]  José del R. Millán,et al.  Adaptive brain interfaces , 1999, IWANN.

[2]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[3]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[4]  Roberto Di Pietro,et al.  Security and privacy issues of handheld and wearable wireless devices , 2003, CACM.

[5]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[7]  Jonas Zaddach Embedded devices security and firmware reverse engineering , 2013 .

[8]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[9]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[10]  Roy H. Campbell,et al.  Wearable security services , 2001, Proceedings 21st International Conference on Distributed Computing Systems Workshops.

[11]  Aurélien Francillon,et al.  A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.

[12]  Chris Eagle,et al.  The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler , 2008 .

[13]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[14]  Roy H. Campbell,et al.  Towards Security and Privacy for Pervasive Computing , 2002, ISSS.