The Newer, the More Secure? Standards-Compliant Bluetooth Low Energy Man-in-the-Middle Attacks on Fitness Trackers
The trend in self-tracking devices has remained unabated for years. Even if they record a large quantity of sensitive data, most users are not concerned about their data being transmitted and stored in a secure way from the device via the companion app to the vendor’s server. However, the secure imp...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-03-01
|
| Series: | Sensors |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1424-8220/25/6/1815 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850279328817872896 |
|---|---|
| author | Hannah Greß Björn Krüger Elmar Tischhauser |
| author_facet | Hannah Greß Björn Krüger Elmar Tischhauser |
| author_sort | Hannah Greß |
| collection | DOAJ |
| description | The trend in self-tracking devices has remained unabated for years. Even if they record a large quantity of sensitive data, most users are not concerned about their data being transmitted and stored in a secure way from the device via the companion app to the vendor’s server. However, the secure implementation of this chain from the manufacturer is not always given, as various publications have already shown. Therefore, we first provide an overview of attack vectors within the ecosystem of self-tracking devices. Second, we evaluate the data security of eight contemporary fitness trackers from leading vendors by applying four still partly standards-compliant Bluetooth Low-Energy Man-in-the-Middle (MitM) attacks. Our results show that the examined devices are partially vulnerable against the attacks. For most of the trackers, the manufacturers put different security measures in place. These include short and user-initiated visibility and connectivity or app-level authentication to limit the attack surface. Interestingly, newer models are more likely to be attackable, underlining the constant need for verifying the security of BLE devices, reporting found vulnerabilities, and also strengthening standards and improving security awareness among manufacturers and users. Therefore, we finish our work with recommendations and best practices for law- and regulation-makers, vendors, and users on how to strengthen the security of BLE devices. |
| format | Article |
| id | doaj-art-425a86c31d5f48d5a2857f06dff6d038 |
| institution | OA Journals |
| issn | 1424-8220 |
| language | English |
| publishDate | 2025-03-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Sensors |
| spelling | doaj-art-425a86c31d5f48d5a2857f06dff6d0382025-08-20T01:49:07ZengMDPI AGSensors1424-82202025-03-01256181510.3390/s25061815The Newer, the More Secure? Standards-Compliant Bluetooth Low Energy Man-in-the-Middle Attacks on Fitness TrackersHannah Greß0Björn Krüger1Elmar Tischhauser2Department of Mathematics and Computer Science, Phillips-University of Marburg, 35032 Marburg, GermanyDepartment of Epileptology, Medical Faculty, University Hospital Bonn, 53127 Bonn, GermanyDepartment of Mathematics and Computer Science, Phillips-University of Marburg, 35032 Marburg, GermanyThe trend in self-tracking devices has remained unabated for years. Even if they record a large quantity of sensitive data, most users are not concerned about their data being transmitted and stored in a secure way from the device via the companion app to the vendor’s server. However, the secure implementation of this chain from the manufacturer is not always given, as various publications have already shown. Therefore, we first provide an overview of attack vectors within the ecosystem of self-tracking devices. Second, we evaluate the data security of eight contemporary fitness trackers from leading vendors by applying four still partly standards-compliant Bluetooth Low-Energy Man-in-the-Middle (MitM) attacks. Our results show that the examined devices are partially vulnerable against the attacks. For most of the trackers, the manufacturers put different security measures in place. These include short and user-initiated visibility and connectivity or app-level authentication to limit the attack surface. Interestingly, newer models are more likely to be attackable, underlining the constant need for verifying the security of BLE devices, reporting found vulnerabilities, and also strengthening standards and improving security awareness among manufacturers and users. Therefore, we finish our work with recommendations and best practices for law- and regulation-makers, vendors, and users on how to strengthen the security of BLE devices.https://www.mdpi.com/1424-8220/25/6/1815fitness trackersecurityBluetooth Low EnergyBLEInternet of ThingsIoT |
| spellingShingle | Hannah Greß Björn Krüger Elmar Tischhauser The Newer, the More Secure? Standards-Compliant Bluetooth Low Energy Man-in-the-Middle Attacks on Fitness Trackers Sensors fitness tracker security Bluetooth Low Energy BLE Internet of Things IoT |
| title | The Newer, the More Secure? Standards-Compliant Bluetooth Low Energy Man-in-the-Middle Attacks on Fitness Trackers |
| title_full | The Newer, the More Secure? Standards-Compliant Bluetooth Low Energy Man-in-the-Middle Attacks on Fitness Trackers |
| title_fullStr | The Newer, the More Secure? Standards-Compliant Bluetooth Low Energy Man-in-the-Middle Attacks on Fitness Trackers |
| title_full_unstemmed | The Newer, the More Secure? Standards-Compliant Bluetooth Low Energy Man-in-the-Middle Attacks on Fitness Trackers |
| title_short | The Newer, the More Secure? Standards-Compliant Bluetooth Low Energy Man-in-the-Middle Attacks on Fitness Trackers |
| title_sort | newer the more secure standards compliant bluetooth low energy man in the middle attacks on fitness trackers |
| topic | fitness tracker security Bluetooth Low Energy BLE Internet of Things IoT |
| url | https://www.mdpi.com/1424-8220/25/6/1815 |
| work_keys_str_mv | AT hannahgreß thenewerthemoresecurestandardscompliantbluetoothlowenergymaninthemiddleattacksonfitnesstrackers AT bjornkruger thenewerthemoresecurestandardscompliantbluetoothlowenergymaninthemiddleattacksonfitnesstrackers AT elmartischhauser thenewerthemoresecurestandardscompliantbluetoothlowenergymaninthemiddleattacksonfitnesstrackers AT hannahgreß newerthemoresecurestandardscompliantbluetoothlowenergymaninthemiddleattacksonfitnesstrackers AT bjornkruger newerthemoresecurestandardscompliantbluetoothlowenergymaninthemiddleattacksonfitnesstrackers AT elmartischhauser newerthemoresecurestandardscompliantbluetoothlowenergymaninthemiddleattacksonfitnesstrackers |