International Association
for Cryptologic Research

Xiaomi is the leading company in the fitness tracking industry. Successful attacks on its fitness tracking ecosystem would result in severe consequences, including losing sensitive health and personal data. Despite these relevant risks, we known very little about the security mechanisms adopted by Xiaomi. In this work, we uncover these mechanisms and show that they are insecure. In particular, Xiaomi protects its fitness tracking ecosystem with custom application-layer protocols spoken over insecure BLE connections (ignoring supported BLE security mechanisms) or TLS connections. We identify severe vulnerabilities affecting the specification of such proprietary protocols, including unilateral and replayable authentication. Those issues are critical as they affect all Xiaomi trackers released since 2016 and up-to-date Xiaomi companion apps for Android and iOS. We show how to exploit the identified vulnerabilities in practice presenting six impactful attacks. Four attacks enable to wirelessly impersonate any Xiaomi fitness tracker and fitness mobile app, MitM them and eavesdrop on their communication. The other two attacks leverage a malicious Android application to remotely eavesdrop data from a tracker and impersonate a Xiaomi fitness app. Overall, the attacks have a high impact as they can be used to exfiltrate and inject sensitive data from any Xiaomi tracker and compatible app. We propose five practical and low-overhead countermeasures to mitigate the presented vulnerabilities. Moreover, we detail, BreakMi, a modular toolkit that we developed to automate our reverse-engineering process and attacks. BreakMi understands Xiaomi application-layer proprietary protocols, reimplements Xiaomi security mechanisms, and automatically performs our attacks. We demonstrate that our toolkit can be generalized by extending it to be compatible with the Fitbit ecosystem. We will open-source BreakMi.