We devise SensCrypt, a protocol for secure data storage and communication, for use by makers of affordable and lightweight personal trackers. SensCrypt thwarts not only the attacks we introduced, but also defends against powerful JTAG Read attacks. We have built Sens.io, an Arduino Uno based tracker platform, of similar capabilities but at a fraction of the cost of current solutions. On Sens.io, SensCrypt imposes a negligible write overhead and significantly reduces the end-to-end sync overhead of Fitbit and Garmin.

1. SensCrypt: A Secure Protocol for
Managing Low Power Fitness Trackers
Mahmudur Rahman
Bogdan Carbunar, Umut Topkara
1February 3, 2015

2. Social Sensor Networks
2
wear
Trackers
User
Social sensor
networks

3. Concerns
 Social sensor networks collect massive personal data
 Source of privacy and security concerns
 Information inferred :
 Locations visited
 Times of user fitness activities
 Times when the user is not at home [PRM]
 Company organizational profiles [TKS13]
[PRM] Please Rob Me. http://www://pleaserobme.com/.
[TSK13] Michael Kota Tsubouchi, Ryoma Kawajiri, and Masamichi Shimosaka. Working
relationship detection from fitbit sensor data. In Proceedings of the UbiComp ’13
Adjunct, pages 115–118, 2013. 3

4. System Model
4
(a) (b)
System components: (a) Fitbit and (b) Garmin

5. Adversary Model
5
 Inspect attack
 Listen on system communications
 Inject attack
 Modify, inject, jam system communications
 Capture attack
 Acquire trackers or bases of victims
 Launch other attacks (e.g., Inspect and Inject)
 JTAG attack
 Capture attack +
 Access the memory of captured devices

6. This Work
 Demonstrate vulnerabilities in the storage and
transmission of fitness data
 Develop tools to attack Fitbit Ultra and Garmin
Forerunner
 SensCrypt: Secure tracker data storage and transmission
6

7. Vulnerabilities
7
 Fitbit: cleartext login information
 Fitbit and Garmin: cleartext http data processing
 Garmin: faulty authentication during pairing
 Tracker does not authenticate the base

8. This Work
 Demonstrate vulnerabilities in the storage and
transmission of fitness data
 Develop tools to attack Fitbit Ultra and Garmin
Forerunner
 SensCrypt: Secure tracker data storage and transmission
8

9. Data Capture (TPDC) attack
9
TPDC outcome on Garmin which includes both GPS
coordinates, heart rate, speed and cadence
 Attack takes less than 13s on both Fitbit and Garmin

10. Injection (TI) attacks
10
TI outcome on Fitbit. The daily step count is unreasonably
high (167116 steps)
 Attack takes less than 18s on both Fitbit and Garmin

11. User Account Injection (UAI) attack
11Unreasonable daily step counts (12M+) in Fitbit
 Attack takes only 6s on average

12. This Work
 Demonstrate vulnerabilities in the storage and
transmission of fitness data
 Develop tools to attack Fitbit Ultra and Garmin
Forerunner
 SensCrypt: Secure tracker data storage and transmission
12

13. SensCrypt Architecture
13
Encrypted
sensor data
Storage Connectivity
Keys
Authentication
Tracker Base Webserver
Connectivity
Connectivity
Map
Authentication
Data Decoding

14. RecordData operation
14
Record i
Record i
1. T generates EKT (ctr, i)
2. T xors D[i] with EKT (ctr, i) and EKW (ctr, i)
mem[i] = D[i] EKT (ctr, i) EKW (ctr, i)

15. Tracker Memory Organization
15
F(KW, 1, i)
clean
F(KW, 1, n). . .
end(a)
start
F(KW, 2, 1) . . . F(KW, 2, i-1) F(KW, 1, i)) F(KW, 1, n)). . .
end
(b)
(a) After (i-1) records have been written
F(KW, 1, 1) . . . F(KW, 1, i-1)
start/clean
encData[1] . . . encData[i-1]
start/dirty
(b) After Upload occurs at state in (a)
Clean/dirty

16. Upload operation (Extension of Fitbit protocol)
16
1a. [SEND, Beacon]
6b. [TRQ-DATA, tracker id, fitness data]
.....
7b. [WRITE, tracker id, opcode]
7c. [WRITE, Data]
7a. [WRITE, tracker id, opcode]
.....
TRQ − DATA, idT, mem[dirty…clean]
WRITE, idT, EKT(ctr + 1, EKW(ctr + 1, i))
WRITE, idT, EKT(ctr + 1, EKW(ctr + 1, i))
Tracker T Base B
Webserver W
6a. [READ-TRQ, tracker id, opcode]

17. Sens.io Platform
17
 Prototype tracker:
 Arduino Uno Rev3
 External Bluetooth shield
 SanDisk card shield
Only $52

18. FitCrypt vs SensCrypt
18
Solutions Fitbit Garmin
SensCrypt 6.02 6.06
FitCrypt-RSA 2300 2300
FitCrypt-ECC 2520 2520
RecordData computation overhead in ms
RecordData:
 SensCrypt is 2-3 orders of magnitude more efficient

19. 19
SensCrypt is 12 times faster than FitCrypt
FitCrypt vs SensCrypt (Cont.)
Solutions T W Communication
SensCrypt 502.13 190.4 153
FitCrypt (Fitbit) 904.56 177.36 162
FitCrypt (Garmin) 9366 322 1686
Upload:
SensCrypt is twice faster than Fitbit’s Upload protocol
Upload computation overhead in ms

20. Conclusions
20
 Demonstrated vulnerabilities in tracker from Fitbit
and Garmin
 Launched Inspect, Capture, Injection and JTAG-R
attacks
 Presented SensCrypt for secure fitness data storage
and transmission
 Developed cost efficient Sens.io tracker platform

21. 21
Questions ? mrahm004@fiu.edu

22. 22
Extra Slides

23. SensCrypt properties
23
 Ensure even wear of tracker memory
 No storage overhead on trackers
 Prevent JTAG-R, inspect attack, capture attacks and
also man-in-the-middle and replay attacks
 User friendly: The user is never involved

24. Reverse Engineering
24
Fitbit Upload
protocol

25. Garmin Pairing Procedure
25