Xiaomi is the leading company in the fitness tracking industry. Successful attacks on its fitness tracking ecosystem would result in severe consequences, including the loss of sensitive health and personal data. Despite these relevant risks, we know very little about the security mechanisms adopted by Xiaomi. In this work, we uncover them and show that they are insecure. In particular, Xiaomi protects its fitness tracking ecosystem with custom application-layer protocols spoken over insecure Bluetooth Low-Energy (BLE) connections (ignoring standard BLE security mechanisms already supported by their devices) and TLS connections. We identify severe vulnerabilities affecting such proprietary protocols, including unilateral and replayable authentication.
Those issues are critical as they affect all Xiaomi trackers released since 2016 and up-to-date Xiaomi companion apps for Android and iOS. We show in practice how to exploit the identified vulnerabilities by presenting six impactful attacks. Four attacks enable to wirelessly impersonate any Xiaomi fitness tracker and companion app, man-in-the-middle (MitM) them, and eavesdrop on their communication. The other two attacks leverage a malicious Android application to remotely eavesdrop on data from a tracker and impersonate a Xiaomi fitness app.
Overall, the attacks have a high impact as they can be used to exfiltrate and inject sensitive data from any Xiaomi tracker and compatible app. We propose five practical and low-overhead countermeasures to mitigate the presented vulnerabilities. Moreover, we present BreakMi, a modular toolkit that we developed to automate our reverse-engineering process and attacks. breakmi understands Xiaomi application-layer proprietary protocols, reimplements Xiaomi security mechanisms, and automatically performs our attacks. We demonstrate that our toolkit can be generalized by extending it to be compatible with the Fitbit ecosystem. We will open-source BreakMi.
Marco Casagrande is a second year PhD student at EURECOM with the software and system security (S3) group. He is interested in IoT security such as fitness trackers and e-scooters, wireless security including BLE, and reverse engineering of proprietary technologies such as protocols, apks, and firmware.
Daniele Antonioli is an Assistant Professor at EURECOM with the software and system security (S3) group and is Marco’s PhD advisor. He does research and teaching in applied system security and privacy. He works on wireless communication, such as Bluetooth and Wi-Fi, embedded systems, such as cars and fitness trackers, mobile systems such as smartphones, and cyber-physical systems such as industrial control systems. His personal website is at https://francozappa.github.io/