See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/323328879

Identification of Wearable Devices with Bluetooth

Article in IEEE Transactions on Sustainable Computing · February 2018

DOI: 10.1109/TSUSC.2018.2808455

CITATIONS READS
50 2,482

3 authors, including:

Hidayet Aksu Selcuk Uluagac

Florida International University Florida International University
48 PUBLICATIONS 3,020 CITATIONS 199 PUBLICATIONS 7,143 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Hidayet Aksu on 27 January 2019.

The user has requested enhancement of the downloaded file.

 IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 0

This work has been accepted in IEEE Transactions on Sustainable Computing.

DOI: 10.1109/TSUSC.2018.2808455
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8299447&isnumber=7742329

IEEE Copyright Notice:

c 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all
other uses, in any current or future media, including reprinting/republishing this material for advertising
or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or
reuse of any copyrighted component of this work in other works.
arXiv:1809.10387v1 [cs.CR] 27 Sep 2018
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 1

Identification of Wearable Devices with

Bluetooth
Hidayet Aksu, A. Selcuk Uluagac, Senior Member, IEEE, and Elizabeth S. Bentley

Abstract
With wearable devices such as smartwatches on the rise in the consumer electronics market,
securing these wearables is vital. However, the current security mechanisms only focus on validating
the user not the device itself. Indeed, wearables can be (1) unauthorized wearable devices with correct
credentials accessing valuable systems and networks, (2) passive insiders or outsider wearable devices,
or (3) information-leaking wearables devices. Fingerprinting via machine learning can provide necessary
cyber threat intelligence to address all these cyber attacks. In this work, we introduce a wearable
fingerprinting technique focusing on Bluetooth classic protocol, which is a common protocol used by the
wearables and other IoT devices. Specifically, we propose a non-intrusive wearable device identification
framework which utilizes 20 different Machine Learning (ML) algorithms in the training phase of the
classification process and selects the best performing algorithm for the testing phase. Furthermore,
we evaluate the performance of proposed wearable fingerprinting technique on real wearable devices,
including various off-the-shelf smartwatches. Our evaluation demonstrates the feasibility of the proposed
technique to provide reliable cyber threat intelligence. Specifically, our detailed accuracy results show on
average 98.5%, 98.3% precision and recall for identifying wearables using the Bluetooth classic protocol.

Index Terms
Cyber threat intelligence, Wearable device fingerprinting, Authentication, Network-level Bluetooth
fingerprinting, Cyber security.

F
1 I NTRODUCTION

C YBERSPACE is expanding rapidly with the introduction of new Internet of Things (IoT) devices.
Today, it is extremely challenging to find a device without any Internet connection capability.
Wearables, smart watches, glasses, fitness trackers, medical devices, and Internet-connected house
appliances have grown exponentially in a short period of time. It is estimated that on average, one
device is assumed to be connected to Internet today every eighty seconds and our everyday lives will be
dominated by billions of smart connected devices by the end of this decade [1]. Indeed, it is predicted that
by 2020, there will be 50 to 100 billion devices connected to the Internet [2], [3], forming a massive IoT.
This emerging IoT technology will drastically change our daily lives and enable smarter cities, health,
transportation, and energy [3]. Among these devices, a considerable number of them will be the wearable
devices that can be carried by individuals such as watches, fitness bands, sensors (e.g., heart-rate, stride),
etc. By 2019, it is estimated that one in four smartphone owners will also be using a wearable device [4].
On the other hand, one of the relatively overlooked problems in the industry or in any networking
environment today is that although wearable device vendors follow the general guidelines while
implementing a specific software, hardware, or firmware to be compatible with the industry standards
and other technologies, they, unfortunately, do not fully comply with the specifics of the standards [5],
[6]. Different implementations of the same functionality can be observed with different vendors due to

• H. Aksu and A. S. Uluagac are with the Dept. of Electrical and Computer Engineering, Florida International University, Miami,
FL, 33174.
E-mail:{haksu,suluagac}@fiu.edu.
• E. S. Bentley is with Air Force Research Lab., Rome, NY 13441-4514.
E-mail: [email protected]
( c 2018 IEEE)
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 2

differences in interpretations and lenient parts of the standards. Similarly, it is possible that counterfeit
wearable devices or devices with corrupted hardware or software components may exist in a networked
environment without the knowledge of the network administrator [7], [8]. These wearable devices may
participate in the regular data collection transactions, glean important information from unwary benign
devices nearby, and leak such information to adversaries [7], [8]. Moreover, a network can dynamically
grow and shrink in size with new wearable devices and equipment depending on the needs. For instance,
employees can bring their own wearables (aka BYOD) to their networks. New wearable devices can join
and leave an authorization realm and device configurations can change dynamically, or even more
frequently than other traditional networking settings. Similarly, a wearable device can be compromised
or can be made ineffective by adversaries or, simply, a small wearable device can be dropped or lost in a
networking environment. In such a case, a wearable device could still be part of an authentication realm
acting as an insider threat to the other legitimate operational networked resources. More specifically, new
devices can be (1) unauthorized wearable devices with correct network credentials, (2) passive insiders
or outsider wearable devices, or (3) information-leaking wearable devices.
Furthermore, most of the wearables are resource-limited and have limited processing capabilities.
This poses challenges to the most state-of-the-art security solutions. For instance, an insider attack
could be avoided with a multi-factor authentication mechanism. However, achieving a multi-factor
authentication [9] on a wearable device with limited resources may be challenging, if not impossible.
To alleviate these concerns, in this work, we introduce machine learning based wearable fingerprinting tool as a
non-intrusive complementary security mechanism for wearables. Such a fingerprinting mechanism does not
solely depend on current security solutions to verify whether the device whose security is questioned is
actually the device it claims to be but incorporates obtained cyber threat intelligence. With fingerprinting,
unauthorized wearable devices via their reproducible fingerprints, possibly inserted by authorized
individuals (aka insiders) can be detected. Furthermore, a wearable fingerprinting mechanism can also be
utilized to identify unmanageable wearables without any sophisticated software architecture on them.
Hence, a wearable fingerprinting mechanism can supplement current security solutions (e.g., access
control and authentication) to gain more information and confidence in critical decisions when classical
security solutions cannot be efficiently operated in a wearable realm. For instance, a Bluetooth speaker
may be needed in a conference room. Although this speaker will be connected to the network, traditional
credential or NAC-based solutions are not applicable as the speaker does not support such services.
However, network admins may want to make sure any rogue device with Bluetooth support cannot
access the network. Network access is granted to a device only after it is identified as an expected
device.
In this work, we propose to utilize the timing information of Bluetooth classic protocol. This
protocol is predominately used by the wearable devices in the market today. Our framework utilize
a comprehensive set of Machine Learning (ML) algorithms (20 different ML algorithms) in training
phase of the classification process to pick the best performing algorithm. To the best of our knowledge, the
proposed fingerprinting technique, as well as the intelligent utilization of 20 different ML algorithms, is the first
in the wearables realm. Moreover, we apply our wearable fingerprinting technique on different wearables,
i.e., various smart watches. Our detailed evaluation demonstrates the functionality and feasibility of the proposed
technique with 98.5%, 98.3% precision and recall for wearables using Bluetooth classic protocol.
The remainder of this manuscript is organized as follows. We review the related work in Section 2.
Background on wearables is presented in Section 3. We also explain different fingerprinting techniques
in the same section. In 4, we introduce the components of our wearable fingerprinting framework. In
Section 5, we discuss test setup and provide the empirical analysis of wearables using Bluetooth classic
protocol. Then in Section 6, we discuss how fingerprinting can be used to complement security and
how a real operational wearable networking environment could benefit from fingerprinting. Finally, we
conclude this paper in Section 7.

2 R ELATED W ORK
There is currently no work that fingerprints wearable devices. However, fingerprinting has been applied
by some many earlier studies. A seminal work in this area was introduced by Kohno et al. in [10].
In [10], a method for remotely fingerprinting a physical device by exploiting the implementation of the
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 3

Figure 1. Overall Sync Architecture between the Phone and Wearable.

TCP protocol stack was proposed. The authors use the TCP timestamp option of outgoing TCP packets
to reveal information about the sender’s internal clock. The authors’ technique exploits microscopic
deviations in the clock skews to derive a clock cycle pattern as the identity for a device. The authors
of [11] take a similar approach to that of [10] (i.e., using clock skews to uniquely identify nodes),
however, the goal of [11] is to uniquely fingerprint access points (APs), obtaining the timestamp from
802.11 beacon frames. Similarly, the authors in [12] use timing information between commands and
responses on the Universal Serial Bus (USB) to distinguish between variations in model identifiers,
OSs (and sometimes OS version number), and whether a machine is answering from a real or virtual
environment. There have also been other physical layer approaches to fingerprint wireless devices.
A good survey on the physical-layer identification of wireless devices can be found in [13]. Radio
frequency (RF) emitter fingerprinting uses the distinct electromagnetic (EM) characteristics that arise
from differences in circuit topology and manufacturing tolerances. This approach has a history of use
in cellular systems and has more recently been applied to Bluetooth [14] and Wi-Fi [15] emitters. The
EM properties fingerprint the unique transmitter of a signal and differ from emitter to emitter. This
technique requires expensive signal analyzer hardware to be within RF range of the target. In a more
recent work [16], [17], the authors developed a passive wired-side technique to fingerprint types of
devices connected to a Wireless Local Area Network (IEEE 802.11 g/n). Different from this WLAN
fingerprinting work, our identification focuses on the characteristics of Bluetooth classic protocol, which
is mostly used by the resource-limited wearables. Also, their work considers one type of classification
mechanism (i.e., artificial neural networks) whereas our fingerprinting framework is able to utilize 20
different Machine Learning algorithms to determine the best performing one for fingerprinting problem.
Finally, a recent useful survey of fingerprinting mechanisms can be found in [18].

3 BACKGROUND
3.1 Wearables
It is possible to see the early examples of wearables mostly in the smart watch realm. For smart watches,
there are four major smart watch operation system vendors: Android-based, IOS-based, Samsung-based
with Tizen O/S [19], and Pebble-based with Pebble O/S [20]. The Pebble O/S is based on an open source
Real Time Operating System (FreeRTOS) for embedded devices while the Tizen is another open-source
Linux-derivative operating system. In this paper, we only focus on Android-based ones given their
popularity with their open-source nature.
A wearable device (e.g., smart watch, fitness band) usually needs to work and synchronize with
another more resourceful Android device such as a tablet or smartphone to be fully functional (Figure 1).
The Android Wear app is the primary conduit for communication between an Android Wear device and
a smartphone/tablet. Without the application installed and running on the Android handheld device,
the Android Wear and the handheld are unable to pair, limiting the serviceability of the Android Wear
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 4

Figure 2. Bluetooth classic protocol stack

technology. Moreover, the operating system of the Android handheld must be running on Android 4.3
Jelly Bean or higher.
For most of the wearable devices, the communication occurs via Bluetooth protocols. An example
communication between an Android wear smart watch and a smartphone is illustrated in Figure 1. In
this example, the smartwatch and the smartphone use the notifications over Bluetooth. With notifications,
the wear devices and applications share information among themselves. The sending application for
the notifications can be on one device and the receiving application on another. When a notification is
created on a smartphone, it is sent to the Android Wear application, which then sends the notification to
the synced wearable. The overall architecture is shown in Figure 1. Notifications from all applications on
the smart device are sent to the wearable via the Android Wear application using a Bluetooth connection.
These notifications are immediately displayed on the wearable’s screen.

3.2 Wearables with Bluetooth Classic

Bluetooth classic is the legacy version of Bluetooth, which is first created in 1994 [21] while the Bluetooth
Special Interest Group (SIG) is formed in 1998 [22]. It is widely used in the market today and it is also
known as Bluetooth BR/EDR (basic rate/enhanced data rate). The current version is Bluetooth v4.2,
which was released in December 2014. Figure 2 displays Bluetooth classic protocol stack.
Meanwhile, Bluetooth security depends on pairing process and use of authentication and encryption.
All security features depend on device name, address, i.e., BDADDR, and encryption keys. Device name
and address can be spoofed while encryption keys can be copied to other devices. Thus, enabling device
fingerprinting, which depends on device hardware, can increase the overall security level of Bluetooth
speaking wearables.

3.3 Fingerprinting Wearables

Wearable fingerprinting can generally be achieved in at least two different ways. The first depends on
the goal of fingerprinting and there can be two types of fingerprinting under this: Device or device type
fingerprinting. With the device fingerprinting, individual devices are fingerprinted. The main goal is to
distinguish an individual device from another one of its kind. For instance, assume there are two smart
watches from the same vendor, Sony Smart watch 1 and Sony Smart watch 2, the goal is to distinguish
one from the other. With the device type fingerprinting, devices from different vendors are identified.
The identification is based on the vendor diversification rather than the individual devices by the same
vendors.
The Second type of fingerprinting depends on the method of fingerprinting. In this category, there
can be two generic ways: active and passive fingerprinting [23].
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 5

Figure 3. Fingerprinting wearables

Under the active fingerprinting technique, the wearable devices are fingerprinted with an external
stimulus (e.g., a specific packet) and the results returned from the device are fingerprinted and analyzed
for signature generation and identification, respectively. Specifically, the active fingerprinting technique
involves two complementary approaches. In the first one, regular packets are sent to the wearable devices
whereas, in the second one, malformed packets (i.e., abnormal, unexpected) are sent to the wearables.
Regular packets sent to the devices conform to the general rules of the standards and protocols.
Responses coming from the wearable devices, the difference in content, length, orders of packets, packet
arrival, inter-arrival time can all be observed and analyzed in the fingerprinting process and be part of
the signature generation process.
In the passive fingerprinting technique, the wearable devices are monitored for the information they
carry (e.g., protocol packet fields) or generate (e.g., timing analysis between packets) and this observed
information is the basis for the signature generation and the identification afterward. The passive
fingerprinting can be accomplished via two different approaches. In the first one, behavior analysis, the
protocols, the applications, the protocol headers, protocol fields that are sent in the clear are all observed
for how they behave and how differences in implementations of protocols and applications vary across
devices. It is widely known that each vendor implements enhanced versions of certain functions although
they conform to the industry standards. So, diversity in protocol functionalities can be observed. For
instance, Bluetooth stack may have been implemented using different versions of the Bluetooth protocol.
With this type of fingerprinting, it is possible to catch device types easier than individual devices within
a specific device class.
The second passive fingerprinting approach involves observing the timing patterns (e.g., interpacket-
arrival times (IAT)) between the communicating end-points (e.g., wearable-to-wearable or wearable-to-
other smart equipment communication) [16], [17]. The third one involves the observation of the clock
skews [10]. Estimated clock skews from the fingerprinter’s point of view can provide a good opportunity
for generating unique device signature as each wearable device vendor may have differing internal
clocks. It is important to note that the last two approaches are non-intrusive, does not require deep-
packet inspection, and can be applied to any type of traffic whether the traffic is encrypted or not.
In both active and passive methods, versatile open source tools such as Python’s Scapy [24] can
be utilized for generating the regular or abnormal packets and open source software-based (e.g.,
Tcpdump [25], Wireshark [26]) or hardware-based (e.g., Ubertooth [27]) packet sniffers can all be used
for monitoring and capturing the wearable traffic. The captured results are analyzed after the process or
in-realtime.
Moreover, the aforementioned active and the passive wearable fingerprinting techniques can be
applied to two different components of the wearable device: Applications and protocols. These important
components interact with the outside world and provide an excellent opportunity for fingerprinting.
For instance, requesting a special information (e.g., nonexistent) from a wearable device via the active
fingerprinting method and observing its response may provide different results depending on the
application type on the wearable device. Further, a certain application (e.g., a notification mechanism) or
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 6

Figure 4. Wearable fingerprinting framework.

a protocol over different-but-seemingly similar wearable devices (e.g., Sony Smart watch vs. LG Smart
watch) may generate different observable signatures. The different fingerprinting methodologies that can
be utilized in a wearable fingerprinting framework are summarized in Figure 3. Note that in this work,
we utilize an inter-packet timing-based timing analysis method on Bluetooth classic protocol packets from wearable
devices, effectively combining two different techniques of passive fingerprinting, timing and behaviour analysis to
determine the device type. The details of our fingerprinting framework are given in the following section.

4 W EARABLE F INGERPRINTING F RAMEWORK

Our wearable fingerprinting framework consists of four main components as shown in Figure 4. (1)
Packet capture; (2) Feature extractor; (3) Signature generator; and (4) Comparison. In this section, we
articulate these briefly.
• Packet capture: The first step in our wearable fingerprinting framework involves capturing
Bluetooth classic packets from a wearable device. Note that Bluetooth classic is predominantly
used in the wearables domain.
• Feature extractor: As the packets are collected from the wearable devices, this component is
responsible for extracting the features from the packets. In our framework, distinguishing
information is inter-arrival-times between Bluetooth packets.
• Signature generator: The next component in the fingerprinting is to generate the signatures using
the features as the basis to reveal patterns in the data. In our work, the signatures are probability
distributions. Once the signatures are generated, they are also stored in a database so that they can
be used to compare with new signatures when identifying unknown wearables. In other words,
signatures are used to train the prediction models for various ML algorithms.
• Comparison/Prediction: The final step in the wearable fingerprinting process involves comparing a
stored signature with the wearable that needs to be identified. If a match with a known signature
is found for the unknown wearable, the unknown wearable is deemed identified, otherwise
unidentified. It should be noted that from a security stand, both results are valuable. Here trained
machine learning models are used to make predictions.
Our wearable fingerprinting framework makes use of classifiers from Weka [28] project and also an
external neural network implementation [29]. The ML algorithms we used are listed in Table 1. Further,
this table includes the type of the algorithms. As different ML algorithms can model different patterns
in data, we know that the best performing algorithm will depend on the pattern inside Bluetooth traffic
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 7

Algorithm 1 Pick Best ML Algorithm - Training Phase

Input: ds: learning dataset,
algs: list of supported ML algorithms,
f ilters: list of filters
Output: returns best performing algorithm
1: v ← empty vector
2: for each algorithm alg in algs list do
3: for each filter f in f ilters list do
4: dsf ← apply f ilter(ds, f )
5: f eature set ← generate signature(dsf )
6: modelalg ← build model(f eature set, alg)
7: accuracyf,alg ← test model(modelalg , dsf )
8: add pair < alg, accuracyf,alg > to vector v
9: end for
10: end for
11: vtop15 ← f ilter top 15 percent by accuracy(v)
12: alg f req ← compute f requency per algorithm(vtop15 )
13: alg ← most f requent algorithm(alg f req)
14: return alg

Table 1
ML Classifiers used by our wearable identification framework.

Type Name
Functions LibSVM, MultilayerPerceptron, NeuralNetwork, SMO,
SimpleLogistic
Bayes BayesNet, NaiveBayes, NaiveBayesMultinomialUp-
dateable, NaiveBayesUpdateable
Rules DecisionTable, JRip, OneR, PART
Trees DecisionStump, HoeffdingTree, J48, LMT, REPTree,
RandomForest, RandomTree

captures and extracted features. However, there is no prior knowledge about the true nature of the
pattern in this data. So, we selected well-known algorithms designed to model various patterns. For
instance, LibSVM and SimpleLogistic like algorithms capture functional patterns while BayesNet and
NaiveBayes like algorithms capture stochastic patterns. Thus, we incorporated algorithms from all major
pattern types as listed in the Table 1 and exhaustively used them. Our framework is able to pick the best
performing ML algorithm among all the supported ones in the training phase using the Algorithm 1.
Specifically, the algorithm Pick Best ML Algorithm uses the training dataset ds, list of supported ML
algorithms algs, and the list of filters f ilters. It computes accuracy for each ML algorithm alg and each
filtering on training data and keeps a vector of < alg, accuracy > pairs. Then, it selects top 15 percent
of best performing algorithms and compute the frequency of each algorithm in this top list. The most
frequent algorithm is picked as the best algorithm. Hereafter, this algorithm is used in the testing phase.
Then, dataset to signature generation is shown in Algorithm 2. In order to generate the signature,
first, inter arrival time vector iat is computed from the input dataset. Then, the density distribution of
iat vector is generated. Finally, this distribution is converted into a histogram and each bin height in the
histogram becomes a feature in the signature.

Algorithm 2 Generate Signature - All Phases

Input: ds: dataset
Output: returns ds signature
1: iat ← extract inter arrival time(ds)
2: dd ← generate density distribution(iat)
3: f eatures ← converts to f eatures(dd)
4: return f eatures

5 P ERFORMANCE E VALUATION
In order to evaluate the feasibility and efficacy of the proposed wearable fingerprinting framework,
we setup a testbed with a set of representative wearable devices and studied different test scenarios
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 8

Table 2
Paired smartphone and wearable devices in our tests using Bluetooth BR/EDR protocol.

Device Type Make Marketing Name OS

Smartwatch Sony Sony smart watch Android
Smartphone Samsung Galaxy S5 Android
Smartwatch Motorola Moto 360 Android
Smartwatch Asus ZenWatch Android
Smartwatch LG G Watch R Android
Smartwatch LG LG Urbane Android
Smartwatch Samsung Gear Live Android

empirically.

5.1 Testbed and Experiment Methodology

We setup a testbed of six smart watches and a master smartphone. Table 2 provides the list of Bluetooth
classic wearable devices we used in our tests. All watches were paired with the master smartphone via
the Android Wear app as illustrated in Figure 5. Note that the smart watches need this Android Wear
App running on the paired smartphone. In this way, a communication between the smartphone and
smart watch is established as explained in Section 3. Android Wear App pushes some limitations on
Bluetooth connectivity such as only smartphone-to-smart watch communication is supported. Although
a smartphone can be paired with many smart watches, a smart watch can be paired with only one
smartphone at a time. Since we want to profile usual Bluetooth traffic on Wearables, we followed the
limitations associated Android Wear. All Bluetooth communication was captured at the smartphone.

Figure 5. Bluetooth classic testbed with wearables

Smart watches receive all notifications from the paired smartphone. Also, any app in the smartphone
communicates with its wearable extension over the Bluetooth channel. This communication is managed
by Android APIs. To facilitate this, we developed a test Android app with its wearable extension.
This test app generated the Bluetooth traffic between the smartphone and smart watch. The generated
traffic contained random-sized notifications from the smart watch to the smartphone and from phone to
watch. Each experiment included about 300 exchanged messages. For each smart watch, we repeated the
experiment 40 times. The total amount of captured Bluetooth traffic was about 1.08 GBytes.

5.2 Experiments and Results

As articulated earlier, our evaluation focused on the packet inter-arrival-time (IAT) distributions as the
fundamental wearable fingerprinting feature. In order to determine the best filtering cases for IATs, we
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 9

analyzed the packet captures with packet length and Bluetooth protocol breakdowns.

Table 3
Hardware specs of tested wearables and a smartphone with Bluetooth classic

Device Chipset CPU RAM Bluetooth

Sony smartwatch Qualcomm Snapdragon 400 APQ8026 ARM Cortex-A7, 1200 MHz, 4 Core 512 MB 4.0
Galaxy S5 Qualcomm Snapdragon 801 MSM8974AC Krait 400, 2.5 GHz, 4 Core 2 GB LPDDR3 4.0
Moto 360 E9A4 Texas Instruments OMAP 3 3630 ARM Cortex-A8, 1.2 GHz, 1 Core 512 MB LPDDR 4.0
ZenWatch 1726 Qualcomm Snapdragon 400 APQ8026 ARM Cortex-A7, 1.2 GHz, 4 Core 512 MB 4.0
G Watch R 4050 Qualcomm Snapdragon 400 APQ8026 ARM Cortex-A7, 1.2 GHz, 4 Core 512 MB 4.0
LG Urbane CFA0 Qualcomm Snapdragon 400 APQ8026 ARM Cortex-A7, 1.2 GHz, 4 Core 512 MB 4.1
Gear Live 3103 Qualcomm Snapdragon 400 APQ8026 ARM Cortex-A7, 1.2 GHz, 4 Core 512 MB LPDDR2 4.0

Figure 6. Inter-Arrival-Time density distributions of wearables when no packet filtering applied (i.e., no length or protocol type
considered).

Figure 6 displays IAT density distribution for six smartwatches and one smartphone. Although the
smartphone is not a wearable device, we included here to see the impact of device diversity. In the
figure, the X-axis represents packet inter-arrival-time (IAT) in seconds while the Y-axis refers to density
for a given IAT value. The trend of Y-value is more important then its value. Since it is a density plot,
the total area under each curve is equal to one. As seen in the figure, for each tested wearable, there
are distinct IAT distributions. To further understand the degree of diversity, we looked at the hardware
specs for each tested wearable device and tabulated them in Table 3. As the table suggests, in spite of
different appearances and vendors, devices have small variations in their architectural details. In fact,
the hardware specs correlate with density trends we observed in our tests. For instance, identical specs
of ZenWatch-G, Watch R, and Sony smart watch resulted in close density plots while distinct specs of
Moto 360 E9A4 and LG Urbane CFA0 resulted in further separated plots from each other.
We then analyzed the effect of packet length in our wearable fingerprinting framework. Packet length
means the size of evaluated packets and length > k states only packets larger than k bytes were
considered. Figure 7 shows the density distributions when different packet sizes were utilized. As seen
in the figures, the size of the packet allows different densities for each tested wearable device.
Next, we focused on the type of the underlying protocol utilized by the wearable device in their
Bluetooth classic stack. As presented in Figure 8, RFCOMM provides more distinctive curves than SDP
and L2CAP protocols. Similar to results observed with the packet length analysis, the wearable devices
have varying IAT densities for each tested device. Finally, we considered both the packet length and
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 10

protocol type together. The results for this combined test case are given in Figure 9. As seen in the
figures, a combined case also yields distinguishable density plots.
The density distribution curves inspired us to further analyze the feasibility of IAT feature with packet
type and length in our wearable device identification framework. For this, we incorporated different
machine learning algorithms into our wearable fingerprinting framework on top of the IAT feature. We
divided probability density curves into 300 bins and convert the area inside each bin into a feature as
described in Algorithm 2. Thus, each session in captures was enrolled as a signature in the database.
Further, as described earlier, we used the Weka [28] software. In addition to the ML algorithms provided
in Weka, we also included an external neural network implementation with a plugin for Weka [29]. We
followed Weka conventions and used 66 percent of captured sessions for learning and used the remaining
for the testing phase. Note that our framework is able to choose the best ML algorithm from the training
data as explained in Section 4 and Algorithm 1. The framework picked Random Forest algorithm as the
best ML algorithm in the experiment. Table 4 lists top-10 classification results with different filters from
fingerprinting of wearables. all − all case, in which all protocols and all packet sizes are covered (i.e., no
packet length and protocol type filter is applied), provides 97% accuracy. However, the highest accuracy,
98%, is obtained for RF COM M − 10 case, where protocol == RF COM M and pktlength > 10 filters
were applied. As seen in the table, our framework yields accuracy performance from 94% to 98% for
different studied filterings and the picked ML algorithm. Thus, experiment results support that the
approach to pick the most accurate ML algorithm at the training phase provides highly accurate results
in the testing phase also. Table 5 displays the accuracy details for RF COM M − 10 case. Average false
positive (FP) rate is lower then 1% and both Precision and Recall are as high as 98%. The proposed
framework is a complementary security mechanism that is non-intrusive. In other words, it does not
require running anything at the wearable device. Bluetooth traffic can be captured by the connected
network device or by a third device. Traffic capturing is a passive task that does not introduce any delay
and usability of wearables is not affected by the proposed framework. In summary, our detailed analysis
and results with high accuracy and recall rates demonstrate the efficacy of our proposed wearable device
identification framework.

6 S ECURITY I MPACT: T HREATS & U SE C ASES

6.1 Threats
In a wearable networking environment, the network can dynamically grow and shrink in size with new
wearable devices and equipment depending on the usage. New wearables can join and leave the network
and device configurations can change dynamically more frequently than usual networks. This situation,
unfortunately, poses challenges to the security posture of a network. Specifically, adversaries may target
the functions of the wearable devices or a network with wearables as follows:

ASUS ZenWatch
G Watch R
80

Galaxy S5
Gear Live
LG Urbane
Moto 360
SmartWatch 3
60
Density

40
20
0

0.00 0.05 0.10

Time (seconds)

(a) pkt length > 10 bytes (b) pkt length > 600 bytes (c) pkt length > 1000 bytes
Figure 7. IAT density distributions of wearables with different packet lengths.
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 11

(a) protocol == L2CAP (b) protocol == RF COM M (c) protocol == SDP

Figure 8. IAT density distributions of wearables with different underlying protocol types. Density is measured in 1/seconds.
Due to space limitations L2CAP, RFCOMM, and SDP are presented.
80

ASUS ZenWatch
G Watch R
Gear Live
LG Urbane
60

Moto 360
Density

40
20
0

0.00 0.05 0.10

Time (seconds)

(a) protocol == HCI ACL (b) protocol == RF COM M (c) protocol == L2CAP and
and pkt length > 600 and pkt length > 1000 pkt length > 10
Figure 9. IAT density distributions when both packet length and underlying Bluetooth protocol type considered. Due to space
limitations HCI ACL, L2CAP, and RFCOMM are presented.

• (1) Unauthorized wearables with correct credentials: A network with wearables may include unautho-
rized devices with legitimate credentials. For instance, wearable devices could be authenticated
to the network via an authorized user of the authentication realm for a specific purpose but could
still be part of the network even beyond their intended duration.
• (2) Wearable devices with counterfeit components: In a network with wearables, there may be
legitimate wearables devices with counterfeit architectural (internal) components (e.g., memory,
chip) [7], [8].
• (3) Outsider wearable devices (brute-force attackers): A network with wearables may include an out-
sider, whose primary focus is to attempt to participate in the wearables network by exhaustively
searching for the correct credentials.
• (4) Information-leaking wearables: A network with wearables may include an active outsider or
compromised insider device that tries to leak important information about the network.
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 12

Table 4
Top-10 classification results with different filters from fingerprinting of wearables with Bluetooth classic.

Filtering Case Accuracy (percent)

RFCOMM - 10 98.3193
all-all 97.479
RFCOMM-all 97.479
all-600 96.6387
all-200 95.7983
RFCOMM-200 95.7983
all-400 94.958
all-800 94.1176
RFCOMM-600 94.1176
RFCOMM-400 94.1176

Table 5
Detailed accuracy results of the wearable fingerprinting framework for the identification of the wearables.

TP Rate FP Rate Precision Recall F-Measure MCC ROC Area PRC Area Class
1.000 0.020 0.913 1.000 0.955 0.946 1.000 1.000 ASUS ZenWatch
1.000 0.000 1.000 1.000 1.000 1.000 1.000 1.000 G Watch R
1.000 0.000 1.000 1.000 1.000 1.000 1.000 1.000 Galaxy S5
0.947 0.000 1.000 0.947 0.973 0.968 1.000 1.000 Gear Live
0.941 0.000 1.000 0.941 0.970 0.965 0.999 0.991 LG Urbane
1.000 0.000 1.000 1.000 1.000 1.000 1.000 1.000 Moto 360
1.000 0.000 1.000 1.000 1.000 1.000 1.000 1.000 SmartWatch 3
0.983 0.004 0.985 0.983 0.983 0.980 1.000 0.999 Weighted Avg.

Figure 10. A possible scenario where the proposed framework is utilized by an authentication server to check device identity
in addition to user credentials.

6.2 Use Cases for Security

Current security models were mostly built to verify the user, not the device itself. However, a non-
intrusive wearable fingerprinting mechanism such as the one proposed in this paper can complement
existing security mechanisms against these threats. Figure 10 illustrates a sample use of the proposed
fingerprinting technique with a traditional authentication system. When a connection request from a
BL speaking device with (1) credentials is received by intermediate device (e.g., smart phone, laptop),
this intermediate device will (2) capture BL features and then (3) forward it with credentials to the
authentication server. In addition to traditional credential controls, (4) authentication server will use
fingerprinting techniques to identify the device and control whether this device should be allowed
to connect the network with given credentials. Enabling such additional controls would enhance the
authentication server’s ability to address the aforementioned threats in the following ways:
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 13

• (1) The wearable fingerprinting technique can detect unauthorized wearables with correct
credentials as authentication server would control whether the device is authorized to access the
network in addition to credentials control. Furthermore, the fingerprinting technique can detect
unmanageable wearables with mechanisms along with traditional access control mechanisms
(e.g., Network Access Control (NAC)), improving the efficacy of such products.
• (2) It can be used to help detect wearable devices with counterfeit or corrupt components
as fingerprints depend on both software and hardware components of devices. As a device
with counterfeit or corrupt components will display different performance metrics (e.g., packet
production rate) when compared with genuine one, proposed fingerprinting technique would not
identify such devices as authentic ones.
• (3) It can be helpful in determining outsider wearable devices that use high resources to perform
brute-force attacks. As wearable devices are typically resource-limited, outsiders can use rogue
wearables to perform attacks inside the network. Such rogue wearables will have different
performance metrics which can be detected by the proposed fingerprinting technique.
• (4) It can be used to identify resource-limited wearable devices accessing the network and further
enforce access control targeted for such devices. A smartwatch like wearable device can be used
to leak information from a network where mobility of physical devices like laptops, usb devices
are restricted. An insider may attempt to use a wearable device like a smartwatch (some of
which looks identical to regular watches) to access a restricted network and leak information to
outside. In addition to credentials control, detection of accesses from such wearable devices helps
to address such threats.
Thus, the machine learning based fingerprinting framework proposed in this work infers the device
type information as a cyber intelligence. This intelligence can be utilized by any authentication or
authorization function in the network where both the claimed identity of a device and any attempted
action can be further checked with the actual device type to determine whether this is a suspicious
activity, i.e., a cyber threat. Obviously, such cyber threat intelligence would increase the overall security
posture of the network.

7 C ONCLUSION
Cyberspace is expanding quickly with the introduction of new wearable devices (e.g., smart watches).
Given the increasingly critical nature of the cyberspace of these wearable devices, it is imperative that
they are secured. An adversary only needs one entry point to infiltrate networks. Nonetheless, the
current security mechanisms are focused on validating the user, not the device itself. An unauthorized
wearable device even with an authorized user can perpetrate malicious activities. Hence, in this work, we
considered wearable fingerprinting as a non-intrusive complementary security mechanism for wearables.
Specifically, we introduced a wearable fingerprinting framework focusing on the characteristics of
Bluetooth classic protocol, which is a common protocol used in the wearables realm. Our framework also
included a comprehensive set of Machine Learning (ML) algorithms (20 different ML algorithm) in the
classification process to pick the best performing algorithm. Furthermore, we evaluated the performance
of our wearable fingerprinting technique on real wearable devices. Our evaluation demonstrated the
functionality and feasibility of the proposed technique. Specifically, our detailed accuracy results show
on average 98.5%, 98.3% precision and recall for wearables using the Bluetooth classic protocol. In
essence, the proposed machine learning based fingerprinting framework provides reliable device type
information to any authentication or authorization point in the network where the claimed identity or
attempted action can be further checked to determine whether this is a suspicious activity, i.e., a cyber
threat. Certainly, such cyber threat intelligence would improve the overall security posture of emerging
IoT networks with multiple wearable devices.

ACKNOWLEDGMENTS
Authors acknowledge US Air Force Research Lab’s (AFRL-FA8750-13-2-0116) and National Science Foun-
dation’s (NSF-CAREER-CNS-1453647) support in this work. Any opinions, findings and conclusions or
recommendations expressed in this material are those of the authors and do not necessarily reflect the
views of the funding agencies.
IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 14

R EFERENCES
[1] S. M. Kelly, “Experts: Internet of things and wearables will dominate by 2025,” July 2015, http://mashable.com/2014/05/14/
pew-iot-study.
[2] D. Evans, “The Internet of Things: How the next evolution of the Internet is changing everything,” Apr. 2011. [Online]. Available:
https://www.cisco.com/web/about/ac79/docs/innov/IoT IBSG 0411FINAL.pdf
[3] P. F. Drucker, “Internet of Things position paper on standardization for IoT technologies,” Jan. 2015. [Online]. Available:
http://www.internet-of-things-research.eu/pdf/IERC Position Paper IoT Standardization Final.pdf
[4] J. Comstock, “http://mobihealthnews.com/37543/pwc-1-in-5-americans-owns-a-wearable-1-in-10-wears-them-daily/,” Mobi Health
News, 2014.
[5] R. E. Miller, D.-L. Chen, D. Lee, and R. Hao, “Coping with nondeterminism in network protocol testing,” in Testing of Communicating
Systems. Springer, 2005, pp. 129–145.
[6] J. Caballero, S. Venkataraman, P. Poosankam, M. G. Kang, D. Song, and A. Blum, “Fig: Automatic fingerprint generation,” Department of
Electrical and Computing Engineering, p. 27, 2007.
[7] Office of The Secretary of The Department of Defense, “Resilient military systems and the advanced cyber threat final
report,” in Defense Science Board Task Force on Resilient Military Systems, Jan 2013.
[8] S. Stecklow, “Exclusive: U.s. nuclear lab removes chinese tech over security fears,” Jan 2013, http://www.reuters.com/article/2013/01/
07/us-huawei-alamos-idUSBRE90608B20130107.
[9] W. Liu, A. Uluagac, and R. Beyah, “Maca: A privacy-preserving multi-factor cloud authentication system utilizing big data,” in Computer
Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on, April 2014, pp. 518–523.
[10] T. Kohno, A. Broido, and K. Claffy, “Remote physical device fingerprinting,” in 2005 IEEE Symposium on Security and Privacy (S P’05),
May 2005, pp. 211–225.
[11] S. Jana and S. K. Kasera, “On fast and accurate detection of unauthorized wireless access points using clock skews,” IEEE Transactions
on Mobile Computing, vol. 9, no. 3, pp. 449–462, March 2010.
[12] L. Letaw, J. Pletcher, and K. Butler, “Host identification via usb fingerprinting,” Systematic Approaches to Digital Forensic Engineering
(SADFE), 2011.
[13] B. Danev, D. Zanetti, and S. Capkun, “On physical-layer identification of wireless devices,” ACM Comput. Surv., vol. 45, no. 1, pp.
6:1–6:29, Dec. 2012. [Online]. Available: http://doi.acm.org/10.1145/2379776.2379782
[14] J. Hall, M. Barbeau, and E. Kranakis, “Rogue devices in bluetooth networks using radio frequency fingerprinting,” in IASTED
International Conf. on Communications and Computer Networks (CCN), 2006.
[15] V. Brik, S. Banerjee, M. Gruteser, and S. Oh, “Wireless device identification with radiometric signatures,” in Proc. of the 14th ACM
International Conf. on Mobile Computing and Networking (MobiCom), 2008.
[16] S. Uluagac, S. V. Radhakrishnan, C. L. Corbett, A. Baca, and R. Beyah, “A passive technique for fingerprinting wireless devices with
wired-side observations,” in 2013 IEEE Conference on Communications and Network Security (CNS) (IEEE CNS 2013), Washington, USA,
Oct. 2013, pp. 471–479.
[17] S. V. Radhakrishnan, A. S. Uluagac, and R. Beyah, “Gtid: A technique for physical device and device type fingerprinting,” IEEE
Transactions on Dependable and Secure Computing, vol. 99, no. PrePrints, p. 1, 2015.
[18] Q. Xu, R. Zheng, W. Saad, and Z. Han, “Device fingerprinting in wireless networks: Challenges and opportunities,” Communications
Surveys Tutorials, IEEE, vol. 18, no. 1, pp. 94–104, Firstquarter 2016.
[19] “Tizen operating system,” 2015, https://www.tizen.org.
[20] “Pebble operating system,” 2015, https://blog.getpebble.com.
[21] “The story behind bluetooth technology,” 2015, https://www.bluetooth.com/what-is-bluetooth-technology/bluetooth.
[22] “History of bluetooth,” 2015, https://www.bluetooth.com/media/our-history.
[23] G. Shu and D. Lee, “A formal methodology for network protocol fingerprinting,” Parallel and Distributed Systems, IEEE Transactions on,
vol. 22, no. 11, pp. 1813–1825, Nov 2011.
[24] “Python scapy,” 2015, http://www.secdev.org/projects/scapy.
[25] “Tcpdump: A packet analyzer tool,” 2015, http://www.tcpdump.org/.
[26] “Wireshark,” 2015, https://www.wireshark.org.
[27] “Project ubertooth,” 2015, http://ubertooth.sourceforge.net.
[28] M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten, “The weka data mining software: An update,” SIGKDD
Explor. Newsl., vol. 11, no. 1, pp. 10–18, Nov. 2009. [Online]. Available: http://doi.acm.org/10.1145/1656274.1656278
[29] “Java (convolutional or fully-connected) neural network implementation with plugin for weka. uses dropout and rectified linear units.”
2016, https://github.com/amten/NeuralNetwork.

Hidayet AKSU received his Ph.D., M.S. and B.S. degrees from Bilkent University, all in Department of
Computer Engineering, in 2014, 2008 and 2005, respectively. He is currently a Postdoctoral Associate
in the Department of Electrical & Computer Engineering at Florida International University (FIU).
Before that, he worked as an Adjunct Faculty in the Computer Engineering Department of Bilkent
University. He conducted research as visiting scholar at IBM T.J. Watson Research Center, USA in
2012-2013. He also worked for Scientific and Technological Research Council of Turkey (TUBITAK).
His research interests include security for cyber-physical systems, internet of things, security for critical
infrastructure networks, IoT security, security analytics, social networks, big data analytics, distributed
computingx, wireless networks, wireless ad hoc and sensor networks, localization, and p2p networks.
 IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING, VOL. X, NO. X, MONTH YEAR 15

Dr. A. Selcuk Uluagac is currently an Assistant Professor in the Department of Electrical and
Computer Engineering (ECE) at Florida International University (FIU). Before joining FIU, he was a
Senior Research Engineer in the School of Electrical and Computer Engineering (ECE) at Georgia
Institute of Technology. Prior to Georgia Tech, he was a Senior Research Engineer at Symantec.
He earned his Ph.D. with a concentration in information security and networking from the School
of ECE, Georgia Tech in 2010. He also received an M.Sc. in Information Security from the School
of Computer Science, Georgia Tech and an M.Sc. in ECE from Carnegie Mellon University in 2009
and 2002, respectively. The focus of his research is on cyber security topics with an emphasis on
its practical and applied aspects. He is interested in and currently working on problems pertinent to
the security of Cyber-Physical Systems and Internet of Things. In 2015, he received a Faculty Early
Career Development (CAREER) Award from the US National Science Foundation (NSF). In 2015, he
was awarded the US Air Force Office of Sponsored Research (AFOSR)’s 2015 Summer Faculty Fellowship. He is also an
active member of IEEE (senior grade), ACM, and ASEE and a regular contributor to national panels and leading journals
and conferences in the field. Currently, he is the area editor of Elsevier Journal of Network and Computer Applications and
serves on the editorial board of the IEEE Communication Surveys and Tutorials. More information can be obtained from:
http://web.eng.fiu.edu/selcuk.

Elizabeth Serena Bentley has a B.S. degree in Electrical Engineering from Cornell University, a M.S. degree in Electrical
Engineering from Lehigh University, and a Ph.D. degree in Electrical Engineering from University at Buffalo. She was a
National Research Council Post-Doctoral Research Associate at the Air Force Research Laboratory in Rome, NY. Currently,
she is employed by the Air Force Research Laboratory in Rome, NY, performing in-house research and development
in the Networking Technology branch. Her research interests are in cross-layer optimization, wireless multiple-access
communications, wireless video transmission, modeling and simulation, and directional antennas/directional networking.

View publication stats