Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers 重点词：信息泄露、可穿戴设备。 要求佩戴额外的传感器 手环等带来的信息 Aveek K. Das, Parth H. Pathak, Chen-Nee Chuah, Prasant Mohapatra University of California, Davis, CA, USA. Email: {akdas, phpathak, chuah, pmohapatra}@ucdavis.edu

BLE Fitness Trackers Fitness trackers have become increasing popular Notion of “quantified-self” Low energy consumption -> BLE becoming the dominant standard for wearable communication 200% growth in shipped devices from 2014 to 2015 量化生活概念的流行，可穿戴的测量设备越来越多，其中，运动手环在14年到15年增长了200%

Motivation Recent works show tracking of users’ hand motion by the sensors on wrists Widespead usage of BLE network Fitness Trackers IoT sensor Ibeacon type services Imperative to understand privacy leakage in BLE network data Measurement study of BLE privacy Communication between fitness trackers and smartphones 由于低功耗等特性，绝大多数运动手环都是使用ble通信。 目前ble最常应用在 作者限定了本篇工作的研究范围

BLE Introduction Bluetooth Low Energy (Bluetooth LE, colloquially BLE, formerly marketed as Bluetooth Smart) 2.4 GHz radio frequencies as classic Bluetooth Adaptive frequency hopping 40 channels – 3 for advertisement and 37 for connection Each BLE device switches between broadcast mode and connection mode

BLE Standard – Advertising Packets Undirected Connectable Advertising Packets Includes: MAC address Public address Random address Advertising content

BLE Standard – Data Packets Adaptive frequency hopping Most data communication transfer of payload happens in “start” packets Smartphones communicate with peripheral periodically

BLE Privacy Leakage Advertising Packets Data Packets User Tracking Activity Detection Person Identification

User Tracking with BLE Advertising Packets

User Tracking Attack Model Fitness trackers continuously advertise Smartphone disconnects to preserve energy Broadcasts to indicate its presence Can be sniffed by 3rd party Mac address in advertising packets -> Device Tracking If address is not altered – even after boot cycle Device info + Auxiliary Information -> User Tracking Secondary knowledge like video camera Since BLE range is small, fine grained user tracking is possible Ble广播信号持续发放 – 可以被第三方设备监听 广播包中包含MAC地址 – 可以识别设备 广播包中包含设备信息 – 可以识别用户

Gymnasium Dataset 8 days – 2 hours per day 7.5 million advertising packets “Local Name” field – used to identify fitness trackers 99 unique fitness trackers Smartphones – Do not advertise

Activity Detection

Activity Detection – Experimental Setup 10 volunteers – each wearing a Fitbit on their wrist 150 seconds each Repeated 10 times Use BLE sniffer to sniff when Fitbit app is opened on IPhone 6 User asked to do some actions Sit on a chair Work on a computer at a desk Run

Activity Detection Data rate is proportional to user activity intensity Simple features – data rate, numbers of “start” and “empty” packets Use a decision tree to classifier the dataset Activity identification for one user – 97.6%

Person Identification

Person Identification Fibit uses accelerometer for determining users’ motion related statistics. Moderately high correlation between BLE network traffic features and accelerometer readings Linear regression models built using accelerometer features BLE network traffic can be efficient indicator of user’ gait and motion

Person Identification Results BLE network feature based prediction Data-rate, Start, Empty Packets, Payload Sizze, Interval between Packets 89% accuracy for 5 people groups False positives < 5% for all combinations Attack possible even when MAC address is altered Small group of users, pre-trained Works in offices or small gyms

Possible Prevention Strategies Randomized MAC addresses as per standard Chaff in data packets – to prevent data rate being proportional to activity Internet of Things necessitates importance of BLE network privacy

What’s next? Ble sniffer 现在能做到哪些功能？ 1. 广播模式：改变自身的MAC地址，发送任意内容的广播包。 2. 被动监听模式：以第三方的模式被动监听ble连接发送的数据包，目前的 的工具能够完全破译ble的just work和6-digit pin配对模式，监听连接过程 的所有数据包，也可以进行重放攻击。 3. 主动监听模式：以中间人的模式介入连接，可以修改数据包内容，亦可以 主动构造数据包进行定向查询。

What’s next?

What’s next? 其他BLE设备？ 智能家居 智能医疗保健设备 ……