On the Security of Bluetooth Low Energy in Two Consumer Wearable Heart Rate Monitors/Sensing Devices
<p>Bluetooth Low Energy (BLE) protocol stack and protocol packet format. (<b>a</b>) BLE Protocol stack; (<b>b</b>) BLE protocol packet format.</p> "> Figure 2
<p>Experimental setup. The arrows in the figure indicate communication direction among devices/software. The dashed line indicates eavesdropping the communication channel.</p> "> Figure 3
<p>Polar H7 heart rate data/advertising packets.</p> "> Figure 4
<p>Design of a Bluetooth Security Facts Label (BSFL) for the Polar H7 wearable. In this example, the QR code for the device’s privacy policy encodes the URL of Polar’s website’s privacy notice.</p> ">
Abstract
:1. Introduction
- We report on the architecture and security features available in Bluetooth LE 4.0 and 4.1.
- We describe a testbed to study BLE implementations on hardware.
- We investigate security issues on implementations of Bluetooth LE in three commercially available devices, namely a Fitbit wristband device, a chest wearable, and a BLE keyboard. The devices are manufactured by popular brands, and to the best of our knowledge, the specific BLE manufacturers’ security implementations (the actual hardware/software BLE implementations done by the manufacturers) of these three devices have not been previously investigated.
- We propose the incorporation of a Bluetooth Security Facts Label (BSFL), which the Bluetooth Special Interest Group (SIG) and/or manufacturers could incorporate into the Bluetooth-enabled device’s commercial product packaging to help the consumer identify the security/privacy features of a device.
2. Bluetooth Low Energy Protocol and Security
2.1. Bluetooth Low Energy Protocol Stack Architecture
- Application block: The application block implements software based on the manufacturer’s need, which may vary from device to device.
- Host block: This block is responsible for the protocols and profiles implemented in BLE devices and defines the packet semantics.
- Controller block: This block features much of the device’s hardware, including the radio interface and its physical characteristics. This block is responsible for data broadcasts over the wireless media.
2.2. Bluetooth Low Energy Security
2.3. Related Works
3. Materials and Methods
- ComProbe Bluetooth Protocol Analyser (BPA): This hardware device was used to capture wireless BLE traffic over a single BLE connection. At the same time, this device can capture all advertising packets in its vicinity. The ComProbe requires the use of ComProbe software, freely available at its website. Many studies on Bluetooth LE technology use the affordable Ubertooth One hardware for capturing BLE traffic. The authors had access to an Ubertooth One device and a ComProbe BPA during their research. Capturing traffic by ComProbe BPA was more reliable and convenient based on the authors’ experience, so they proceeded with ComProbe BPA in their study.
- Laptop/PC: These devices were used to connect the ComProbe device and to execute its software. They ran Windows 7 and 10, and the ComProbe BPA was connected via USB.
- BLE-enabled devices: We used two heart rate wearables and a BLE keyboard in our study. The wearables used were a Fitbit Charge (Bluetooth LE 4.1) and a Polar H7 Heart Rate Sensor (Bluetooth LE 4.0). The keyboard was a Bluebyte portable keyboard with Bluetooth LE 4.0. The Fitbit Charge is a wrist heart rate wearable, with official Apple iOS and Android apps, and it collects step count, distance covered, and calories burned (among other fitness data). The Fitbit Charge must use the official Fitbit app to work. The Polar H7 heart rate sensor straps onto the chest of a user and it transmits heart rate data. The Polar H7 has official apps for Android and iOS, but it can also be used without these official apps. Finally, the Bluebyte portable keyboard can connect to any Android/iOS and laptop/PC without the need of any app. Polar is a popular heart rate monitor brand with good rankings from consumer communities [34,35]. Even though Polar H9 is cited among the best HR trackers [34,35], the official website for Polar lists Bluetooth 4.0 to be the compatible Bluetooth version in their heart rate monitors [36]. The Polar H7 used in this study is an affordable device still in the market today [37], which implements the same Bluetooth version as its successor. Fitbit is a highly ranked smart watch/health tracker brand popular among consumers [38]. The Fitbit Charge 4 is an affordable Fitbit version available in the market [39,40]. The Bluebyte keyboard is also available in the market, advertised as a “Bluetooth V4.0 and 2.4G Wireless Multi-Device Keyboard” [41,42].
- BLE Master Bluetooth Devices: We used different smart phones and a PC, which served as BLE master devices. These were: an ASUS Zenfone Max 3, the Samsung Galaxy S4, a Samsung Galaxy S7, an Apple iPhone 7, and a HP Pavilion PC x360. All of these devices varied in Bluetooth version. For the smart phones, we downloaded and installed the software provided by the wearables’ manufacturers.
4. Results
4.1. Fitbit Charge
4.2. Polar H7 Heart Rate Sensor
4.3. Bluebyte Keyboard
5. Discussion
6. Conclusion and Future Work
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
References
- Perez, A.J.; Zeadally, S. Recent Advances in Wearable Sensing Technologies. Sensors 2021, 21, 6828. [Google Scholar] [CrossRef] [PubMed]
- Tekler, Z.D.; Low, R.; Burak, G.; Rune, K.A.; Blessing, L. A Scalable Bluetooth Low Energy Approach to Identify Occupancy Patterns and Profiles in Office Spaces. Build. Environ. 2020, 171, 106681. [Google Scholar] [CrossRef]
- Filippoupolitis, A.; Oliff, W.; Loukas, G. Occupancy detection for building emergency management using BLE beacons. In Proceedings of the International Symposium on Computer and Information Sciences, Krakow, Poland, 27–28 October 2016; Springer: Cham, Switzerland, 2016; pp. 233–240. [Google Scholar]
- Choi, M.; Park, W.K.; Lee, I. Smart office energy management system using bluetooth low energy based beacons and a mobile app. In Proceedings of the 2015 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 9–12 January 2015; pp. 501–502. [Google Scholar]
- Bluetooth Resources. Available online: https://www.bluetooth.com/bluetooth-resources/?types=news_article (accessed on 16 January 2022).
- Bluetooth Special Interest Group. Core Specification 4.0. 2010. Available online: https://www.bluetooth.com/specifications/specs/core-specification-4-0/ (accessed on 16 January 2022).
- Silicon Labs. Understanding Bluetooth 4.1, 4.2, and Beyond. Available online: https://community.silabs.com/s/share/a5U1M000000knuTUAQ/understanding-bluetooth-41-42-and-beyond?language=en_US (accessed on 16 January 2022).
- Bluetooth Special Interest Group. Core Specification 5.2. 2019. Available online: https://www.bluetooth.com/specifications/specs/core-specification-5-2/ (accessed on 16 January 2022).
- Bluetooth Special Interest Group. Bluetooth Core Specification Version 5.3 Feature Enhancements. 2021. Available online: https://www.bluetooth.com/bluetooth-resources/bluetooth-core-specification-version-5-3-feature-enhancements/ (accessed on 16 January 2022).
- Bluetooth Special Interest Group. Core Specification 4.1. 2013. Available online: https://www.bluetooth.com/specifications/specs/core-specification-4-1/ (accessed on 16 January 2022).
- Spill, D. Bluetooth Packet Sniffing Using Project Ubertooth. 2012. Available online: https://2012.ruxcon.org.au/assets/rux/Spill-Ubertooth.pdf (accessed on 25 January 2022).
- Ryan, M. Bluetooth: With Low Energy Comes Low Security. In Proceedings of the 7th USENIX Workshop on Offensive Technologies, Washington, DC, USA, 13 August 2013; p. 4. [Google Scholar]
- Willingham, T.; Henderson, C.; Kiel, B.; Haque, M.S.; Atkison, T. Testing vulnerabilities in Bluetooth low energy. In Proceedings of the ACMSE 2018 Conference, Richmond, KY, USA, 29–31 March 2018; pp. 1–7. [Google Scholar]
- Hassan, S.S.; Bibon, S.D.; Hossain, M.S.; Atiquzzaman, M. Security threats in Bluetooth technology. Comput. Secur. 2017, 74, 308–322. [Google Scholar] [CrossRef]
- Albazrqaoe, W.; Huang, J.; Xing, G. Practical Bluetooth traffic sniffing: Systems and privacy implications. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services MobiSys’16, New York, NY, USA, 26–30 June 2016; pp. 333–345. [Google Scholar]
- Chen, H.; Faruque, M.; Chou, P. Security and privacy challenges in IoT-based machine-to-machine collaborative scenarios. In Proceedings of the 2016 International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS), Pittsburgh, PA, USA, 2–7 October 2016; IEEE: Manhattan, NY, USA, 2016; pp. 1–2, ISBN 978-1-4503-4483-8/16/10. [Google Scholar]
- Lonzetta, A.M.; Cope, P.; Campbell, J.; Mohd, B.J.; Hayajneh, T. Security Vulnerabilities in Bluetooth Technology as Used in IoT. J. Sens. Actuator Netw. 2018, 7, 28. [Google Scholar] [CrossRef] [Green Version]
- Ray, A.; Raj, V.; Oriol, M.; Monot, A.; Obermeier, S. Bluetooth Low Energy Devices Security Testing Framework. In Proceedings of the 2018 IEEE 11th International Conference on Software Testing, Verification and Validation (ICST), Västerås, Sweden, 9–13 April 2018; IEEE: Manhattan, NY, USA; pp. 384–393. [Google Scholar] [CrossRef]
- Das, A.; Pathak, P.; Chuah, C.; Mohapatra, P. Uncovering privacy leakage in BLE network traffic of wearable fitness trackers. In Proceedings of the HotMobile ’16: 17th International Workshop on Mobile Computing Systems and Applications, New York, NY, USA, 23–24 February 2016; pp. 99–104. [Google Scholar]
- Snader, R.; Kravets, R.; Harris, A. CryptoCoP: Lightweight, Energy-Efficient Encryption and Privacy for Wearable Devices. In Proceedings of the 2016 Workshop on Wearable Systems and Applications, New York, NY, USA, 30 June 2016; pp. 7–12. [Google Scholar]
- Hilts, A.; Parsons, C.; Knockel, J. Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security. Open Effect Report. 2016. Available online: https://openeffect.ca/reports/Every_Step_You_Fake.pdf (accessed on 15 January 2022).
- Zhang, Q.; Liang, Z. Security analysis of bluetooth low energy based smart wristbands. In Proceedings of the 2017 2nd International Conference on Frontiers of Sensors Technologies (ICFST), Shenzhen, China, 14–16 April 2017; IEEE: Manhattan, NY, USA, 2017; pp. 421–425. [Google Scholar] [CrossRef]
- Cyr, B.; Horn, W.; Miao, D.; Specter, M. Security Analysis of Wearable Fitness Devices (Fitbit). 2014. Available online: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082016/17-cyrbritt-webbhorn-specter-dmiao-hacking-Fitbit.pdf (accessed on 15 January 2022).
- Arias, O.; Wurm, J.; Hoang, K.; Jin, Y. Privacy and Security in Internet of Things and Wearable Devices. IEEE Trans. Multi-Scale Comput. Syst. 2015, 1, 99–109. [Google Scholar] [CrossRef]
- Rose, A.; Ramsey, B. Picking Bluetooth Low Energy Locks from a Quarter Mile Away. 2016. Available online: https://av.tib.eu/media/36217 (accessed on 15 January 2022).
- Cauquil, D. BTLEJuice, un Framework D’interception Pour le Bluetooth Low Energy. 2017. Available online: https://www.slideshare.net/NetSecureDay/nsd16-btle-juice-un-framework-dinterception-pour-le-bluetooth-low-energy-damien-cauquil (accessed on 21 January 2022).
- Jasek, S. Blue Picking–Hacking Bluetooth Smart Locks. 2017. Available online: http://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20Slawomir%20Jasek%20-%20Blue%20Picking%20-%20Hacking%20Bluetooth%20Smart%20Locks.pdf (accessed on 15 January 2022).
- Tan, V. Hacking BLE Bicycle Locks for Fun and a Small Profit. 2018. Available online: https://av.tib.eu/media/39752 (accessed on 15 January 2022).
- Gullberg, P. Denial of Service Attack on Bluetooth Low Energy. Available online: https://www.researchgate.net/publication/317063884 (accessed on 15 January 2022).
- Lounis, K.; Zulkernine, M. Bluetooth Low Energy Makes “Just Works” Not Work. In Proceedings of the 2019 3rd Cyber Security in Networking Conference (CSNet), Quito, Ecuador, 23–25 October 2019; IEEE: Manhattan, NY, USA, 2019; pp. 99–106. [Google Scholar] [CrossRef]
- Janesko, J.A. Bluetooth Low Energy Security Analysis Framework. In Technical Report RHUL-ISG-2018-5; Royal Holloway University of London: Egham, UK, 2018; Available online: https://www.royalholloway.ac.uk/media/5615/rhul-isg-2018-5-abstract-jenniferjanesko.pdf.
- Issoufaly, T.; Tournoux, P.U. BLEB: Bluetooth Low Energy Botnet for large scale individual tracking. In Proceedings of the 2017 1st International Conference on Next Generation Computing Applications (NextComp), Mauritius, 19–21 July 2017; IEEE: Piscataway, NJ, USA, 2017. [Google Scholar]
- Robles-Cordero, A.M.; Zayas, W.J.; Peker, Y.K. Extracting the security features implemented in a Bluetooth LE connection. In Proceedings of the 2018 IEEE International Conference on Big Data (Big Data), Seattle, WA, USA, 10–13 December 2018; pp. 2559–2563. [Google Scholar]
- PCMag. The Best Heart Rate Monitors for 2022. Available online: https://www.pcmag.com/picks/the-best-heart-rate-monitors (accessed on 15 January 2022).
- Healthline. The 8 Best Heart Rate Monitors You Can Buy in 2022. Available online: https://www.healthline.com/health/fitness/heart-rate-monitor#A-quick-look-at-the-best-heart-rate-monitors (accessed on 15 January 2022).
- Polar Official Site. Polar Devices & Phone Compatibility. Available online: https://www.polar.com/ble/ (accessed on 15 January 2022).
- Amazon. Polar H7 Bluetooth Heart Rate Sensor & Fitness Tracker. Available online: https://www.amazon.com/Polar-Bluetooth-Sensor-Fitness-Tracker/dp/B00FZX9CW4?th=1&psc=1 (accessed on 15 January 2022).
- Fitbit Charge 4 Review: A Better Fitness Tracker without the Bulk. 2022. Available online: https://www.cnet.com/health/fitness/Fitbit-charge-4-review-better-fitness-tracker-built-in-gps-better-sleep-tracking-slim-design/ (accessed on 15 January 2022).
- Walmart. Fitbit Charge 4 (NFC) Activity Fitness Tracker, Black. Available online: https://www.walmart.com/ip/Fitbit-Charge-4-NFC-Activity-Fitness-Tracker-Black/599342265 (accessed on 15 January 2022).
- Amazon. Fitbit Charge 4 Fitness and Activity Tracker with Built-in GPS, Heart Rate, Sleep & Swim Tracking, Black/Black, One Size (S & L Bands Included). Available online: https://www.amazon.com/Fitbit-Fitness-Activity-Tracking-Included/dp/B084CQ41M2?th=1 (accessed on 15 January 2022).
- Amazon. Multi-Device Keyboard, Bluebyte Full Size Bluetooth 4.0 LE & 2.4G Wireless Keyboard for Windows PC, Dual Mode 2.4G Wireless Bluetooth Keyboard for Computer Desktop Laptop Surface Tablet Smartphone. Available online: https://www.amazon.com/Universal-Wireless-Bluetooth-Multi-Device-Ultra-Slim/dp/B073NZNFZG (accessed on 15 January 2022).
- Walmart. Multi-Device Keyboard, Bluebyte Full Size Bluetooth 4.0 LE & 2.4G Wireless Keyboard for Windows PC, Dual Mode 2.4G Wireless Bluetooth Keyboard for Computer Desktop Laptop Surface Tablet Smartphone. Available online: https://www.walmart.com/ip/Bluebyte-Multi-Device-Keyboard-Bluebyte-Full-Size-Bluetooth-4-0-Le-2-4G-Wireless-Keyboard-For-Windows-Pc-Dual-Mode-Computer-Desktop-Laptop-Surface-Ta/758674807 (accessed on 15 January 2022).
- Food and Drug Administration. FDA Issues Landmark Proposal to Improve Access to Hearing Aid Technology for Millions of Americans. Available online: https://www.fda.gov/news-events/press-announcements/fda-issues-landmark-proposal-improve-access-hearing-aid-technology-millions-americans (accessed on 30 December 2021).
- Perez, A.J.; Zeadally, S. Privacy issues and solutions for consumer wearables. Professional 2017, 20, 46–56. [Google Scholar] [CrossRef]
- Perez, A.J.; Zeadally, S.; Cochran, J. A review and an empirical analysis of privacy policy and notices for consumer Internet of Things. Secur. Priv. 2018, 1, e15. [Google Scholar] [CrossRef] [Green Version]
- Blasco, J.; Chen, T.M.; Tapiador, J.; Peris-Lopez, P. A survey of wearable biometric recognition systems. ACM Comput. Surv. 2016, 49, 1–35. [Google Scholar] [CrossRef]
- Bianchi, A.; Oakley, I. Wearable authentication: Trends and opportunities. IT-Inf. Technol. 2016, 58, 255–262. [Google Scholar] [CrossRef]
- Perez, A.J.; Zeadally, S.; Jabeur, N. Security and privacy in ubiquitous sensor networks. J. Inf. Process. Syst. 2018, 14, 286–308. [Google Scholar]
- Blasco, J.; Peris-Lopez, P. On the feasibility of low-cost wearable sensors for multi-modal biometric verification. Sensors 2018, 18, 2782. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Gonzalez-Manzano, L.; Fuentes, J.M.D.; Ribagorda, A. Leveraging user-related internet of things for continuous authentication: A survey. ACM Comput. Surv. 2019, 52, 1–38. [Google Scholar] [CrossRef] [Green Version]
- Corn, B.; Perez, A.J.; Ruiz, A.; Cetin, C.; Ligatti, J. An Evaluation of the Power Consumption of Coauthentication as a Continuous User Authentication Method in Mobile Systems. In Proceedings of the 2020 ACM Southeast Conference, Tampa, FL, USA, 2–4 April 2020; pp. 268–271. [Google Scholar]
- Rahman, M.; Carbunar, B.; Banik, M. Fit and vulnerable: Attacks and defenses for a health monitoring device. arXiv 2013, arXiv:1304.5672. [Google Scholar]
- Stute, M.; Heinrich, A.; Lorenz, J.; Hollick, M. Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi. In Proceedings of the 30th USENIX Security Symposium (USENIX Security ’21), Vancouver, BC, Canada, 11–13 August 2021. [Google Scholar]
- Cayre, R.; Galtier, F.; Auriol, G.; Nicomette, V.; Kaâniche, M.; Marconato, G. WazaBee: Attacking Zigbee networks by diverting Bluetooth Low Energy chips. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Taipei, Taiwan, 21–24 June 2021. [Google Scholar]
- Kelley, P.G.; Bresee, J.; Cranor, L.F.; Reeder, R.W. A “nutrition label” for privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security, New York, NY, USA, 15–17 July 2009; pp. 1–12. [Google Scholar]
Device | BLE Version | Association Model | Address Randomization | Connection Encryption |
---|---|---|---|---|
Fitbit Charge wristband | 4.1 | Passkey entry | No | Yes |
Polar H7 | 4.0 | Just works | No | No |
Bluebyte keyboard | 4.0 | Just works | No | No |
Question | Rationale |
---|---|
Is the BLE device a “Qualified Bluetooth Device” listed on the Bluetooth Product Listing Database? | All Bluetooth qualified devices are listed on the Bluetooth SIG Product Listing Database. Devices (or chips) not listed on this database are violating Bluetooth SIG rights/branding |
Does the product commercial packaging mention the Bluetooth/BLE versions that the device implements and/or any of its security features? | No indication of BLE versions/security features could indicate absence of security |
Is the company that manufactures the BLE device a well-known company? | Unknown/less-known companies could have practices that incur in technical debt, sacrificing security and user privacy |
Does the BLE device include a mobile app and/or mention a privacy policy associated with the device in its company website? | The absence of privacy policies could indicate irregular/bad security and/or privacy practices. Companies could be liable if the privacy policy states that user/sensor data is protected but the BLE device leaks data |
Is the BLE device an FDA-approved device to diagnose, treat, or help manage a disease/health condition? | FDA-approved devices must present, as part of their FDA certification process, a study of the security aspects of the device using FDA-recommended information security standards [1]. |
Does the BLE device’s commercial packaging mention that the device complies with HIPPAA, Children’s Online Privacy Protection (COPPA), Gramm-Leach-Bliley Act (for financial privacy), or any other privacy law, such as the European Union’s General Data Protection Rules (GDPR)? | Privacy laws, such as HIPPAA, COPPA, financial privacy, and GDPR, require privacy practices and protections for devices and systems involved in data collection for medical records, children’s data, financial data, and EU citizens’ data |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Kurt Peker, Y.; Bello, G.; Perez, A.J. On the Security of Bluetooth Low Energy in Two Consumer Wearable Heart Rate Monitors/Sensing Devices. Sensors 2022, 22, 988. https://doi.org/10.3390/s22030988
Kurt Peker Y, Bello G, Perez AJ. On the Security of Bluetooth Low Energy in Two Consumer Wearable Heart Rate Monitors/Sensing Devices. Sensors. 2022; 22(3):988. https://doi.org/10.3390/s22030988
Chicago/Turabian StyleKurt Peker, Yeṣem, Gabriel Bello, and Alfredo J. Perez. 2022. "On the Security of Bluetooth Low Energy in Two Consumer Wearable Heart Rate Monitors/Sensing Devices" Sensors 22, no. 3: 988. https://doi.org/10.3390/s22030988
APA StyleKurt Peker, Y., Bello, G., & Perez, A. J. (2022). On the Security of Bluetooth Low Energy in Two Consumer Wearable Heart Rate Monitors/Sensing Devices. Sensors, 22(3), 988. https://doi.org/10.3390/s22030988