BreakMi: Reversing, Exploiting and Fixing Xiaomi Fitness Tracking Ecosystem

Xiaomi is the leading company in the fitness tracking industry. Successful attacks on its fitness tracking ecosystem would result in severe consequences, including the loss of sensitive health and personal data. Despite these relevant risks, we know very little about the security mechanisms adopted by Xiaomi. In this work, we uncover them and show that they are insecure. In particular, Xiaomi protects its fitness tracking ecosystem with custom application-layer protocols spoken over insecure Bluetooth Low-Energy (BLE) connections (ignoring standard BLE security mechanisms already supported by their devices) and TLS connections. We identify severe vulnerabilities affecting such proprietary protocols, including unilateral and replayable authentication. Those issues are critical as they affect all Xiaomi trackers released since 2016 and up-to-date Xiaomi companion apps for Android and iOS. We show in practice how to exploit the identified vulnerabilities by presenting six impactful attacks. Four attacks enable to wirelessly impersonate any Xiaomi fitness tracker and companion app, man-in-the-middle (MitM) them, and eavesdrop on their communication. The other two attacks leverage a malicious Android application to remotely eavesdrop on data from a tracker and impersonate a Xiaomi fitness app. Overall, the attacks have a high impact as they can be used to exfiltrate and inject sensitive data from any Xiaomi tracker and compatible app. We propose five practical and low-overhead countermeasures to mitigate the presented vulnerabilities. Moreover, we present breakmi, a modular toolkit that we developed to automate our reverse-engineering process and attacks. breakmi understands Xiaomi application-layer proprietary protocols, reimplements Xiaomi security mechanisms, and automatically performs our attacks. We demonstrate that our toolkit can be generalized by extending it to be compatible with the Fitbit ecosystem. We will open-source breakmi.

[1]  Bart Preneel,et al.  My other car is your car: compromising the Tesla Model X keyless entry system , 2021, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[2]  Jens Grossklags,et al.  Method Confusion Attack on Bluetooth Pairing , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[3]  Leyla Bilge,et al.  How Did That Get In My Phone? Unwanted App Distribution on Android Devices , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[4]  René Mayrhofer,et al.  The Android Platform Security Model , 2019, ACM Trans. Priv. Secur..

[5]  Jan Van den Herrewegen,et al.  Cutting Through the Complexity of Reverse Engineering Embedded Devices , 2021, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[6]  J. Vilk,et al.  BLeak , 2020 .

[7]  Nils Ole Tippenhauer,et al.  Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy , 2020, ACM Trans. Priv. Secur..

[8]  Yunhao Liu,et al.  BlueDoor: breaking the secure information flow via BLE vulnerability , 2020, MobiSys.

[9]  Jiska Classen,et al.  MagicPairing: Apple's take on securing bluetooth peripherals , 2020, WISEC.

[10]  Xinwen Fu,et al.  Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks , 2020, USENIX Security Symposium.

[11]  Mathias Payer,et al.  BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy , 2020, WOOT @ USENIX Security Symposium.

[12]  Sudipta Chattopadhyay,et al.  SweynTooth: Unleashing Mayhem over Bluetooth Low Energy , 2020, USENIX Annual Technical Conference.

[13]  Zhiqiang Lin,et al.  Automatic Fingerprinting of Vulnerable BLE IoT Devices with Static UUIDs from Mobile Apps , 2019, CCS.

[14]  Eli Biham,et al.  Breaking the Bluetooth Pairing - The Fixed Coordinate Invalid Curve Attack , 2019, IACR Cryptol. ePrint Arch..

[15]  Dagmar Hartge,et al.  Report , 2019, Datenschutz und Datensicherheit - DuD.

[16]  Bart Preneel,et al.  Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[17]  Wireshark Lab Wireshark , 2019, Cybersecurity Blue Team Toolkit.

[18]  Tuomas Aura,et al.  Misbinding Attacks on Secure Device Pairing and Bootstrapping , 2019, AsiaCCS.

[19]  Jorge Blasco,et al.  A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape , 2018, USENIX Security Symposium.

[20]  Dennis Giese,et al.  Having fun with IoT: Reverse Engineering and Hacking of Xiaomi IoT Devices , 2018 .

[21]  Matthias Hollick,et al.  Anatomy of a Vulnerable Fitness Tracking System , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[22]  Vinod Sharma,et al.  Cross-App Tracking via Nearby Bluetooth Low Energy Devices , 2018, CODASPY.

[23]  M. Hollick,et al.  Edinburgh Explorer Anatomy of a Vulnerable Fitness Tracking System: Dissecting the Fitbit Cloud, App, and Firmware , 2018 .

[24]  Mauro Conti,et al.  Fitness Trackers: Fit for Health but Unfit for Security and Privacy , 2017, 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE).

[25]  Pierre-Ugo Tournoux,et al.  BLEB: Bluetooth Low Energy Botnet for large scale individual tracking , 2017, 2017 1st International Conference on Next Generation Computing Applications (NextComp).

[26]  Mauro Conti,et al.  Breaking Fitness Records Without Moving: Reverse Engineering and Spoofing Fitbit , 2017, RAID.

[27]  Stefan Katzenbeisser,et al.  Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , 2016, CCS.

[28]  Petar Tsankov,et al.  Statistical Deobfuscation of Android Applications , 2016, CCS.

[29]  Angelo Spognardi,et al.  Mind the tracker you wear: a security analysis of wearable health trackers , 2016, SAC.

[30]  Jeffrey Knockel,et al.  Every step you fake: a comparative analysis of fitness tracker privacy and security , 2016 .

[31]  Mahmudur Rahman,et al.  Secure Management of Low Power Fitness Trackers , 2013, IEEE Transactions on Mobile Computing.

[32]  Maarten Schellevis,et al.  Getting access to your own Fitbit data , 2016 .

[33]  Kang G. Shin,et al.  Protecting Privacy of BLE Device Users , 2016, USENIX Security Symposium.

[34]  Daniela Miao,et al.  Security Analysis of Wearable Fitness Devices ( Fitbit ) , 2014 .

[35]  Carl A. Gunter,et al.  Inside Job: Understanding and Mitigating the Threat of External Device Mis-Binding on Android , 2014, NDSS.

[36]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[37]  Mahmudur Rahman,et al.  Fit and Vulnerable: Attacks and Defenses for a Health Monitoring Device , 2013, ArXiv.

[38]  R. Briley Frida , 2013 .

[39]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[40]  A. Karimi,et al.  Master‟s thesis , 2011 .

[41]  Manikandan,et al.  Noble , 1998, Gone the Hard Road.