We devise SensCrypt, a protocol for secure data storage and
communication, for use by makers of affordable and lightweight
personal trackers. SensCrypt thwarts not only the attacks we
introduced, but also defends against powerful JTAG Read attacks.
We have built Sens.io, an Arduino Uno based tracker
platform, of similar capabilities but at a fraction of the cost of
current solutions. On Sens.io, SensCrypt imposes a negligible
write overhead and significantly reduces the end-to-end sync
overhead of Fitbit and Garmin.
3. Concerns
Social sensor networks collect massive personal data
Source of privacy and security concerns
Information inferred :
Locations visited
Times of user fitness activities
Times when the user is not at home [PRM]
Company organizational profiles [TKS13]
[PRM] Please Rob Me. http://www://pleaserobme.com/.
[TSK13] Michael Kota Tsubouchi, Ryoma Kawajiri, and Masamichi Shimosaka. Working
relationship detection from fitbit sensor data. In Proceedings of the UbiComp ’13
Adjunct, pages 115–118, 2013. 3
5. Adversary Model
5
Inspect attack
Listen on system communications
Inject attack
Modify, inject, jam system communications
Capture attack
Acquire trackers or bases of victims
Launch other attacks (e.g., Inspect and Inject)
JTAG attack
Capture attack +
Access the memory of captured devices
6. This Work
Demonstrate vulnerabilities in the storage and
transmission of fitness data
Develop tools to attack Fitbit Ultra and Garmin
Forerunner
SensCrypt: Secure tracker data storage and transmission
6
7. Vulnerabilities
7
Fitbit: cleartext login information
Fitbit and Garmin: cleartext http data processing
Garmin: faulty authentication during pairing
Tracker does not authenticate the base
8. This Work
Demonstrate vulnerabilities in the storage and
transmission of fitness data
Develop tools to attack Fitbit Ultra and Garmin
Forerunner
SensCrypt: Secure tracker data storage and transmission
8
9. Data Capture (TPDC) attack
9
TPDC outcome on Garmin which includes both GPS
coordinates, heart rate, speed and cadence
Attack takes less than 13s on both Fitbit and Garmin
10. Injection (TI) attacks
10
TI outcome on Fitbit. The daily step count is unreasonably
high (167116 steps)
Attack takes less than 18s on both Fitbit and Garmin
11. User Account Injection (UAI) attack
11Unreasonable daily step counts (12M+) in Fitbit
Attack takes only 6s on average
12. This Work
Demonstrate vulnerabilities in the storage and
transmission of fitness data
Develop tools to attack Fitbit Ultra and Garmin
Forerunner
SensCrypt: Secure tracker data storage and transmission
12
14. RecordData operation
14
Record i
Record i
1. T generates EKT (ctr, i)
2. T xors D[i] with EKT (ctr, i) and EKW (ctr, i)
mem[i] = D[i] EKT (ctr, i) EKW (ctr, i)
15. Tracker Memory Organization
15
F(KW, 1, i)
clean
F(KW, 1, n). . .
end(a)
start
F(KW, 2, 1) . . . F(KW, 2, i-1) F(KW, 1, i)) F(KW, 1, n)). . .
end
(b)
(a) After (i-1) records have been written
F(KW, 1, 1) . . . F(KW, 1, i-1)
start/clean
encData[1] . . . encData[i-1]
start/dirty
(b) After Upload occurs at state in (a)
Clean/dirty
18. FitCrypt vs SensCrypt
18
Solutions Fitbit Garmin
SensCrypt 6.02 6.06
FitCrypt-RSA 2300 2300
FitCrypt-ECC 2520 2520
RecordData computation overhead in ms
RecordData:
SensCrypt is 2-3 orders of magnitude more efficient
19. 19
SensCrypt is 12 times faster than FitCrypt
FitCrypt vs SensCrypt (Cont.)
Solutions T W Communication
SensCrypt 502.13 190.4 153
FitCrypt (Fitbit) 904.56 177.36 162
FitCrypt (Garmin) 9366 322 1686
Upload:
SensCrypt is twice faster than Fitbit’s Upload protocol
Upload computation overhead in ms
20. Conclusions
20
Demonstrated vulnerabilities in tracker from Fitbit
and Garmin
Launched Inspect, Capture, Injection and JTAG-R
attacks
Presented SensCrypt for secure fitness data storage
and transmission
Developed cost efficient Sens.io tracker platform
23. SensCrypt properties
23
Ensure even wear of tracker memory
No storage overhead on trackers
Prevent JTAG-R, inspect attack, capture attacks and
also man-in-the-middle and replay attacks
User friendly: The user is never involved