A Case Study on Vulnerability Analysis and Firmware Modification Attack for a Wearable Fitness Tracker

Jaewoo Shim¹, Kyeonghwan Lim¹, Jaemin Jeong¹, Seong-je Cho¹,

Minkyu Park² and Sangchul Han²⁺
 

¹Dept. of Computer Science and Engineering, Dankook University

Yongin-si, Gyeonggi-do 16890 South Korea

{tlawodn94, limkh120, snorlax, sjcho}@dankook.ac.kr

²Dept. of Computer Engineering, Konkuk University

Chungju-si, Chungcheongbuk-do 27478 South Korea

{minkyup, schan}@kku.ac.kr

Abstract

As wearable fitness trackers have been used to collect and analyze users’ behaviors such as vital signs and physical workout in daily life, many studies have recently addressed security and privacy issues of wearable fitness trackers. In this paper we focus specifically on (1) analysis of vulnerabilities in firmware of a fitness tracker, a gateway (Android app) connected to the fitness tracker, and communication protocol between the fitness tracker and its genuine gateway using reverse engineering, and (2) creation of a PC based fake gateway by exploiting the vulnerabilities. We finally demonstrate a proof-of- concept firmware attack against a fitness tracker using the created fake gateway.

Keywords: Fitness Tracker, Vulnerability Analysis, Firmware Modification, Fake Gateway, Reverse

Engineering

+: Corresponding author: Sangchul Han
Department of Computer Engineering, Konkuk University, 268 Chungwondaero, Chungju-si,

Chungcheongbuk-do, 27478, Korea, Tel: +82-43-840-3605

IT Convergence Practice (INPRA), Vol. 5, No. 4, pp. 25-33, December 2017 [pdf]