Malware can detect data volumes and transmission times on portable devices. | Photo: unsplash

Smartwatches, fitness trackers, heart monitors... Connected devices are omnipresent in our society. Research by Ludovic Barman, a doctoral assistant at the Data Security Laboratory at EPFL, shows that encrypted Bluetooth communications between a wearable device and its connected smartphone might protect the content, but can leak sensitive information through metadata, e.g., data volumes and transmission times.

“We have demonstrated for the first time that metadata from connected devices poses an insidious threat to user privacy by simulating so-called ‛traffic analysis’ hacks”, Barman says. To do this, he and his colleagues used a sniffer – a program prized by malicious third parties – to capture Bluetooth traffic data generated by 13 popular branded devices. This amounted to 98 hours of raw data. His study reveals this metadata as allowing hackers to identify accurately the communicating devices and their model numbers, to recognise user activity (e.g., health monitoring, exercise, recording insulin injections, etc.), to extract their profiles and habits and even to launch specific applications on smartwatches.

“Today, each device chooses its own communication scheme using very specific packet sizes, which allows it to be tracked accurately. But by homogenising these communications, we can prevent the metadata leaking information to malicious third parties. We hope to encourage developers of connected devices and applications to devise new approaches to defend against traffic analysis attacks on Bluetooth communications”, says Barman.

L. Barman, A. Dumur, A. Pyrgelis, J.-P. Hubaux: Every Byte Matters: Traffic Analysis of Bluetooth Wearable Devices, IMWUT (2021)