Is Your Smartwatch Secure? Winning Design Expo Team Takes a Close Look

Trevor Hornsby

The Internet of Medical Things (IoMT), a system of interrelated medical devices and applications, connects health care information technology systems using networking technologies. One-third of all IoT devices are found in healthcare (as IoMTs) and they are expected to account for 40% of total global IoT technology by 2025 (Darwis et al. 2017).

Healthcare’s data is frequently the target of fraud, extortion, and other illegal activities, with the average healthcare data breach costing $9.42 million (HIPAA Journal, July 2021). Therefore, it becomes imperative to investigate the security resiliency of IoMT devices, which continue to gain wide popularity, especially in the area of wearable devices such as smartwatches, fitness trackers, and heart rate monitors. These devices can reduce unnecessary hospital visits and ease the burden on health care systems, but are they secure?

A team of Michigan Tech students decided to find out when their advisor, Guy Hembroff, Applied Computing, presented the topic and research details to the group at their first meeting in September 2021. The project’s result, “IoMT Device Security,” was awarded first place in Senior Design category of the 2022 Michigan Tech Design Expo. Team members were graduating BS in Cybersecurity seniors Jacson Ott, Stu Kernstock, Trevor Hornsby, and Matthew Chau.

The annual Design Expo showcases experiential, discovery-based learning. This spring, the work of more than 1,000 students in Enterprise and Senior/Capstone Design projects were represented. The event is hosted by the Michigan Tech Enterprise program and supported by industry and university sponsorship.

A Security Review

“The goal of this project was to perform a security review of Internet of Medical Things wearable devices through hands-on testing,” explains team member Jacson Ott. “Our intention was to provide end users with a better understanding of the security implications of their everyday devices, and to present an updated picture of the industry’s current stance of implementing security.”

The research project specifically focused on the communication among several different Apple smartwatches, smartphones, and the applications that run on the smartphones.

“Apple devices are the most popular fitness tracking devices on the market, and research shows that Bluetooth is vulnerable to certain attacks,” explains Trevor Hornsby. “This is especially true with its counterpart, Bluetooth Low Energy.”

Bluetooth Low Energy is intended to considerably reduce power consumption and cost while maintaining a similar communication range to that provided by other communication

“We looked for common security weaknesses between the connection of an Apple Watch and an iPhone and analyzed the effectiveness of current practices to protect sensitive health information. We also identified steps for improvements and recommendations for mitigation measures to address existing threats and vulnerabilities,” says Hornsby. “Several potential areas for continued research were also revealed.”

“The tests we performed proved that in some scenarios anyone could realistically attempt to compromise some of these devices,” adds Hornsby. “A wide selection of smartwatches and accompanying smartphone apps were tested for potential vulnerabilities. Our tests included physical attacks, sniffing, man in the middle, dos, and reverse application engineering.”

The Judges Were Impressed

“I was very impressed with the presentation,” says Steve Knudstrup, Michigan Tech help desk consultant and a Design Expo judge. “The team took something pretty complicated and communicated it well so that I could understand both the technical aspects and why the project was important. I liked that the relevance was clear and that they were using devices that real people use every day. The students were also upbeat and very friendly, and very willing to answer any questions anyone had.”

Design Expo judge and Michigan Tech career advisor Amanda Hagerl, Career Services, was also impressed with the group’s presentations of their findings.

“They all showed a real interest in their work,” Hagerl says of the team. “Their enthusiasm really kept me captive. We live in a world where we fear our security, and so many of us wear Bluetooth devices. It made their topic interesting to many. They were able to answer all the questions I had, and they provided me with solutions to help with my security in the future.”

Long Hours in the Lab

The team followed a phased approach, breaking down the project into smaller pieces and collaboratively working on each phase. Hornsby says that the testing phase was very intensive and the team encountered several roadblocks.

“This team of students were very bright, motivated, and professional, each with individual areas of expertise and research goals that complimented those of the other team members, pushing them to become better as individuals and as a group,” says Hembroff.
“While this project was similar to most research endeavors, with challenges and setbacks throughout the course of the project, the students met each of the challenges and worked very hard to meet the expectations established for this project,” Hembroff says.

“I really enjoyed working with the group and witnessing their progression in teamwork, research, troubleshooting, and written and oral communication, which are critical to success in the cybersecurity industry,” Hembroff adds.

“Our project was heavily dependent on collaboration, from the early phase of researching the devices and tools, to testing and analyzing the data, and finally writing up the results in our paper,” says Trevor Hornsby.

“As a group, we did our best to rotate roles throughout the course of the project, ensuring that everyone was knowledgeable about all areas of the project,” notes Ott. “This approach also allowed us to leverage the unique perspectives and ideas of all group members.”

“There was a long period in which the result of every attempted attack resulted in failure,” says Ott. “It was difficult to avoid becoming discouraged as the team encountered one roadblock after another.

“But it was important to keep in mind that every success and failure we encountered helped us to build an increasingly whole picture of the space,” he adds. “The first time I managed to expose Personal Health Data (PHI) in a real-time connection between devices really boosted team morale.”

An Honest Effort to Discover Something New

The deep knowledge and enthusiasm of his advisor, Guy Hembroff, inspired Ott to put in his best effort and see where the project took him. “I valued this opportunity to apply the knowledge and skills built over my time at Tech in an environment where it was okay to fail,” he says.

At the beginning of the project, Hembroff stressed a particularly important aspect of the Senior Design capstone. “He said that our success or failure wouldn’t be the most important factor in the end, instead the true value of this capstone project would be found through honest effort and discovering something new,” Ott explains. “He always took the time to respond to our questions, assist us where needed, and provide guidance.”

“Dr. Hembroff provided us with frequent meaningful feedback throughout the entire course of the project,” agrees Hornsby. “He also helped us immensely with troubleshooting roadblocks and refining the scope of our project.”

About Jacson Ott

Jacson Ott is proud of the long hours and dedication he has put into completing his BS degree. “I will deeply miss the communities I’ve found here,” he says, adding that he plans to remain active as an alumnus. He graduated this spring with a BS in Cybersecurity with a focus on System and Network Security.

It was the quality and diversity of the Michigan Tech Cybersecurity BS program that drew Ott to Houghton, and the communities he found at the University kept him connected and engaged. He says he found the true value of his education in the program’s hands-on experiences and that the most valuable skill he gained is the ability to think critically and learn new topics.

Ott notes that the remote learning necessitated by the pandemic posed a unique set of challenges but in the end it was of benefit, better preparing him for the workforce. This summer he’ll pursue his third fully remote internship, this time with Palo Alto Networks Unit 42. He’ll be working as an incident response intern until August, when he’ll return to Michigan Tech to pursue a Master’s of Science in Cybersecurity focused on Network Security Management.

Applied Computing faculty member Tim Van Wagner was invaluable to Ott’s college experience. “He’s always ready to offer advice or talk about technology, and his passion for what he does is evident in every conversation,” Ott explains. “The deep care he has for his students and the quality of their education always made me excited to take his classes.”

During his undergraduate studies, Ott was involved in the Networking and Computing Student Association (NCSA), serving over the years as president, public relations head, and network team lead. He was also a competitor for the MTU RedTeam, achieving several high-ranking finishes in individual and team competition in National Cyber League events.

Ott is also a member of the Order of Omega and the Triangle Fraternity, for which he served as recruitment chair and brotherhood chair. He was awarded the 2022 Fraternity and Sorority Life Awards Outstanding New Fraternity Member of the Year.

“The members of NCSA and Triangle Fraternity have been of the utmost importance to my college career,” Ott says. “These groups have pushed me to grow as a leader, professional, and friend in ways I could never have imagined.”

Ott advises all students to find ways to apply their knowledge outside the classroom. “Joining student organizations that enhance your degree is one of the best ways to get the most out of your time at Michigan Tech,” he says.

About Trevor Hornsby

Trevor Hornsby’s interest in cybersecurity began in high school through his participation in cyber defense competitions. He was drawn to Michigan Tech because Tech was the only school he toured that demonstrated an interest in cybersecurity. He was also attracted to the Accelerated Master’s program, which wasn’t an option at other schools he was considering.

“I was convinced to study here because when I asked a professor about cybersecurity, they explained how the school has a lot of interest in cybersecurity,” Hornsby says.

Although Michigan Tech did not offer an undergraduate degree in cybersecurity when he started at Tech, in his second year Hornsby changed major from Computer Science to Cybersecurity when that degree program was started in 2019.

Department of Applied Computing faculty member Todd Arney had a large impact on Hornsby’s education. “His philosophy towards teaching creates a very relaxed environment in classes, and he really helped me to approach my studies with a different perspective. I felt like I could learn concepts naturally, as opposed to learning concepts through the forces of stress or the concern of getting a bad grade.”

“I feel the biggest advantage I’ve gained at Michigan Tech is having the foundation for continuous improvement,” Hornsby says. “It is true that the IT landscape is constantly changing, and MTU has helped me to feel confident that I have the foundation to adapt with the landscape. I’ve gained the skill of being able to take on unfamiliar challenges with confidence.”

During his undergraduate studies Hornsby was involved in the MTU RedTeam, the Puck Recreational Club, and Broomball. For the Red Team he achieved several high-ranking finishes in National Cyber League Cybersecurity Capture the Flag competitions, accomplishments of which he is very proud. He urges other students to escape their comfort zone and “get involved in whatever you feel interested in.”

“Northern hospitality is real, and everyone at Michigan Tech and in the community is amazing,” Hornsby says. “I really enjoyed being in this environment surrounded by so many great people.”

Hornsby, now employed full time at Oshkosh Corporation as a cybersecurity engineer, received his BS in Cybersecurity with a focus on System and Network Security this spring. He plans to pursue his Michigan Tech Accelerated Master’s online in the coming year.