Breaking fitness records without moving: reverse engineering and spoofing fitbit

Hossein Fereidooni, Jiska Classen, Tom Spink, Paul Patras, Markus Miettinen, Ahmad-Reza Sadeghi, Matthias Hollick, Mauro Conti

Research output: Chapter in Book/Report/Conference proceedingConference contribution

18 Citations (Scopus)
1 Downloads (Pure)


Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors' cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on these devices. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.
Original languageEnglish
Title of host publicationResearch in Attacks, Intrusions, and Defenses
Subtitle of host publication20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings
EditorsMarc Dacier, Michael Bailey, Michalis Polychronakis, Manos Antonakakis
Place of PublicationCham
PublisherSpringer, Cham
Number of pages22
ISBN (Electronic)9783319663326
ISBN (Print)9783319663319
Publication statusPublished - 2017
EventInternational Symposium on Research in Attacks, Intrusions and Defenses - Georgia Tech Hotel and Conference Center , Atlanta, United States
Duration: 18 Sept 201720 Sept 2017

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743


ConferenceInternational Symposium on Research in Attacks, Intrusions and Defenses
Abbreviated title(RAID)
Country/TerritoryUnited States
Internet address


  • Fitness trackers
  • Reverse engineering
  • Spoofing
  • Fitbit


Dive into the research topics of 'Breaking fitness records without moving: reverse engineering and spoofing fitbit'. Together they form a unique fingerprint.

Cite this