Figure - available via license: Creative Commons Attribution 4.0 International
Content may be subject to copyright.
Reversed Xiaomi application-layer opcodes and relevant values. Key, Const, R, Chal and Resp are 16-byte values shown in hex. Const equals to 1863c2cce5d159413bed92c4b163c279.
Source publication
Xiaomi is the leading company in the fitness tracking industry. Successful attacks on its fitness tracking ecosystem would result in severe consequences, including the loss of sensitive health and personal data. Despite these relevant risks, we know very little about the security mechanisms adopted by Xiaomi. In this work, we uncover them and show...
Contexts in source publication
Context 1
... class encodes a message type using a specific binary layout. Table 2 lists all messages that we can dissect and customize. The table's first column indicates the message type, the second column the message sender, and the third column the packet layout. ...Context 2
... dissectors monitor the status of Authentication and the challenge-response. In our experiments, we crafted Authentication messages with different opcodes and noticed that MB 4/5/6 accept opcodes used by MB 2/3, as shown in Table 2. ...Similar publications
Xiaomi is the leading company in the fitness tracking industry. Successful attacks on its fitness tracking ecosystem would result in severe consequences, including the loss of sensitive health and personal data. Despite these relevant risks, we know very little about the security mechanisms adopted by Xiaomi. In this work, we uncover them and show...
Citations
... MitM attacks are real threats for various IoT devices including USB devices [13] (e.g., U2F and hardware wallets [25]), short distance devices (e.g., BLE and RFID Passive Keyless Entry (PKE) [10]), and WiFi and Ethernet devices (e.g., Smart Home [30]). Although secure communication protocols can prevent attackers from stealing fingerprints [56], [21], numerous real-world exploits indicate that it can still break these secure communications by constructing different attacks, e.g., remote exploiting [17], [18], stealing hard-coded crypto keys [6], and investigating unencrypted traffic in millions of IoT devices [23], [19]. ...
... The MitM adversaries should be considered in IoT scenarios, as many IoT devices are resource constraint to adopt a secure implementation of TLS with SSL pinning [46], [27], or even do not encrypt the transmitted messages [19]. Under an insecure communication channel, attackers can launch two typical attacks: ...
... Depending on the model of the wristband there are two different options for pairing. For older models such as the Mi Band 2/3, when GadgetBridge scans the device and orders the pairing, the key is sent without protection from the app to the wristband, and the user confirms the pairing (Casagrande et al., 2022). However, for new models (tested on Mi Band 5/7) the pairing is mediated by Huami's servers. ...
... The server signs a pairing key generated from the wristband, based on a random number and the Bluetooth address. The wristband then verifies this signature to establish the pairing, which is confirmed by the user as above (Casagrande et al., 2022). This implies that it is first required to link the wristband to ZeppLife, then obtain this pairing key and use it to link to GadgetBridge, one or more wristbands, as it supports multi-device connection. ...
... These limitations could be minimised by analysing the vulnerabilities of the official applications and the connection protocols they use. Recently, Casagrande et al. (2022) succeeded in impersonating any Xiaomi fitness tracker and companion app such as ZeppLife. ...
Thanks to the rise of wearable devices, people have more direct access to a variety of health data, such as physical activity, sleep and heart rate. For the research field, these devices represent a powerful tool for monitoring and evaluating different parameters. However, the procedure of capturing data for storage in an independent and self-managed database is not standardised. In this project we analysed two methods of data capture for the Xiaomi Mi Bands. One uses the official application together with Google Fit and the other uses the open source application GadgetBridge. The advantages and disadvantages of each system were studied, concluding that both could be very beneficial as data capture solutions for wearable devices in research, although with different target projects due to their particularities. Future work will explore these systems in more depth, addressing limitations, automation and optimising for specific research needs
Over the past decade, wearable activity trackers (WATs) have become increasingly popular. However, despite many research studies in different fields (such as psychology, health, and design), few have sought to jointly examine the critical aspects of utility (i.e., benefits brought by these devices), privacy, and security (i.e., risks and vulnerabilities associated with them). To fill this gap, we reviewed 236 studies that researched the benefits of using WATs, the implications for the privacy of users of WATs, and the security vulnerabilities of these devices. Our survey revealed that these devices expose users to several threats. For example, WAT data can be mined to infer private information, such as the personality traits of the user. Whereas many works propose empirical findings about users’ privacy perceptions and their behaviors in relation to privacy, we found relatively few studies researching technologies to better protect users’ privacy with these devices. This survey contributes to systematizing knowledge on the utility, privacy, and security of WATs, shedding light on the state-of-the-art approaches with these devices, and discussing open research opportunities.
This paper studies the post-mortem digital forensic artifacts left by the Android Zepp Life (formerly Mi Fit) mobile application when used in conjunction with a Xiaomi Mi Band 6. The Mi Band 6 is a low-cost smart band device with several sensors that allow for health and activity monitoring, collecting metrics such as heart rate, blood oxygen saturation level, and step count. The device communicates via Bluetooth Low Energy with the Zepp Life application, which displays its data, provides some controls, and acts as a bridge to the Internet. We study, from a digital forensics perspective, the Android version of the mobile application in a rooted smartphone. For this purpose, we analyze the data repositories, namely its databases and XML files, and correlate the data on the smartphone with the corresponding usage of the Mi Band device. The paper also presents two open-source scripts we have developed to ease the task of forensic practitioners dealing with Zepp Life/Mi Band 6: ZL_std and ZL_autopsy. The former refers to a Python 3 script that extracts high-level views of Zepp Life data through the command-line, whereas the latter is a module that integrates ZL_std functionalities within the popular open-source Autopsy digital forensic software. Data stored on the Android companion device of a Mi Band 6 might include GPS coordinates, events and alarms, and biometric data such as heart rate, sleep time, and fitness activity, which can be valuable digital forensic artifacts.
Anyone clicking on this link before June 30, 2023 will be taken directly to the final version of the article:
https://authors.elsevier.com/a/1h3bj9UFWM%7E7T1
