Abstract
The trend in self-tracking devices has remained unabated for years. Even if they record a large quantity of sensitive data, most users are not concerned about their data being transmitted and stored in a secure way from the device via the companion app to the vendor's server. However, the secure implementation of this chain from the manufacturer is not always given, as various publications have already shown. Therefore, we first provide an overview of attack vectors within the ecosystem of self-tracking devices. Second, we evaluate the data security of eight contemporary fitness trackers from leading vendors by applying four still partly standards-compliant Bluetooth Low-Energy Man-in-the-Middle (MitM) attacks. Our results show that the examined devices are partially vulnerable against the attacks. For most of the trackers, the manufacturers put different security measures in place. These include short and user-initiated visibility and connectivity or app-level authentication to limit the attack surface. Interestingly, newer models are more likely to be attackable, underlining the constant need for verifying the security of BLE devices, reporting found vulnerabilities, and also strengthening standards and improving security awareness among manufacturers and users. Therefore, we finish our work with recommendations and best practices for law- and regulation-makers, vendors, and users on how to strengthen the security of BLE devices.