TY - JOUR
T1 - BreakMi
T2 - Reversing, Exploiting and Fixing Xiaomi Fitness Tracking Ecosystem
AU - Casagrande, Marco
AU - Losiouk, Eleonora
AU - Conti, Mauro
AU - Payer, Mathias
AU - Antonioli, Daniele
PY - 2022
Y1 - 2022
N2 - Xiaomi is the leading company in the fitness tracking industry. Successful attacks on its fitness tracking ecosystem would result in severe consequences, including the loss of sensitive health and personal data. Despite these relevant risks, we know very little about the security mechanisms adopted by Xiaomi. In this work, we uncover them and show that they are insecure. In particular, Xiaomi protects its fitness tracking ecosystem with custom application-layer protocols spoken over insecure Bluetooth Low-Energy (BLE) connections (ignoring standard BLE security mechanisms already supported by their devices) and TLS connections. We identify severe vulnerabilities affecting such proprietary protocols, including unilateral and replayable authentication. Those issues are critical as they affect all Xiaomi trackers released since 2016 and up-to-date Xiaomi companion apps for Android and iOS. We show in practice how to exploit the identified vulnerabilities by presenting six impactful attacks. Four attacks enable to wirelessly impersonate any Xiaomi fitness tracker and companion app, man-in-the-middle (MitM) them, and eavesdrop on their communication. The other two attacks leverage a malicious Android application to remotely eavesdrop on data from a tracker and impersonate a Xiaomi fitness app. Overall, the attacks have a high impact as they can be used to exfiltrate and inject sensitive data from any Xiaomi tracker and compatible app. We propose five practical and low-overhead countermeasures to mitigate the presented vulnerabilities. Moreover, we present breakmi, a modular toolkit that we developed to automate our reverse-engineering process and attacks. breakmi understands Xiaomi application-layer proprietary protocols, reimplements Xiaomi security mechanisms, and automatically performs our attacks. We demonstrate that our toolkit can be generalized by extending it to be compatible with the Fitbit ecosystem. We will open-source breakmi.
AB - Xiaomi is the leading company in the fitness tracking industry. Successful attacks on its fitness tracking ecosystem would result in severe consequences, including the loss of sensitive health and personal data. Despite these relevant risks, we know very little about the security mechanisms adopted by Xiaomi. In this work, we uncover them and show that they are insecure. In particular, Xiaomi protects its fitness tracking ecosystem with custom application-layer protocols spoken over insecure Bluetooth Low-Energy (BLE) connections (ignoring standard BLE security mechanisms already supported by their devices) and TLS connections. We identify severe vulnerabilities affecting such proprietary protocols, including unilateral and replayable authentication. Those issues are critical as they affect all Xiaomi trackers released since 2016 and up-to-date Xiaomi companion apps for Android and iOS. We show in practice how to exploit the identified vulnerabilities by presenting six impactful attacks. Four attacks enable to wirelessly impersonate any Xiaomi fitness tracker and companion app, man-in-the-middle (MitM) them, and eavesdrop on their communication. The other two attacks leverage a malicious Android application to remotely eavesdrop on data from a tracker and impersonate a Xiaomi fitness app. Overall, the attacks have a high impact as they can be used to exfiltrate and inject sensitive data from any Xiaomi tracker and compatible app. We propose five practical and low-overhead countermeasures to mitigate the presented vulnerabilities. Moreover, we present breakmi, a modular toolkit that we developed to automate our reverse-engineering process and attacks. breakmi understands Xiaomi application-layer proprietary protocols, reimplements Xiaomi security mechanisms, and automatically performs our attacks. We demonstrate that our toolkit can be generalized by extending it to be compatible with the Fitbit ecosystem. We will open-source breakmi.
KW - Bluetooth Low Energy
KW - Fitness Tracker
KW - IoT
KW - Reverse Engineering
UR - http://www.scopus.com/inward/record.url?scp=85134696606&partnerID=8YFLogxK
U2 - 10.46586/tches.v2022.i3.330-366
DO - 10.46586/tches.v2022.i3.330-366
M3 - Article
AN - SCOPUS:85134696606
SN - 2569-2925
VL - 2022
SP - 330
EP - 366
JO - IACR Transactions on Cryptographic Hardware and Embedded Systems
JF - IACR Transactions on Cryptographic Hardware and Embedded Systems
IS - 3
ER -