SensCrypt: A secure protocol for managing low power fitness trackers

Abstract

The increasing interest in personal telemetry has induced a popularity surge for wearable personal fitness trackers. Such trackers automatically collect sensor data about the user throughout the day, and integrate it into social network accounts. Solution providers have to strike a balance between many constraints, leading to a design process that often puts security in the back seat. Case in point, we reverse engineered and identified security vulnerabilities in Fit bit Ultra and Gammon Forerunner 610, two popular and representative fitness tracker products. We introduce Fit Bite and GarMax, tools to launch efficient attacks against Fit bit and Garmin. We devise SensCrypt, a protocol for secure data storage and communication, for use by makers of affordable and lightweight personal trackers. SensCrypt thwarts not only the attacks we introduced, but also defends against powerful JTAG Read attacks. We have built Sens.io, an Arduino Uno based tracker platform, of similar capabilities but at a fraction of the cost of current solutions. On Sens.io, SensCrypt imposes a negligible write overhead and significantly reduces the end-to-end sync overhead of Fit bit and Garmin.