Breaking fitness records without moving: reverse engineering and spoofing fitbit

Hossein Fereidooni; Jiska Classen; Tom Spink; Paul Patras; Markus Miettinen; Ahmad-Reza Sadeghi; Matthias Hollick; Mauro Conti

doi:10.1007/978-3-319-66332-6_3

Breaking fitness records without moving: reverse engineering and spoofing fitbit

Hossein Fereidooni, Jiska Classen, Tom Spink, Paul Patras, Markus Miettinen, Ahmad-Reza Sadeghi, Matthias Hollick, Mauro Conti

School of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors' cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on these devices. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.

Original language	English
Title of host publication	Research in Attacks, Intrusions, and Defenses
Subtitle of host publication	20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings
Editors	Marc Dacier, Michael Bailey, Michalis Polychronakis, Manos Antonakakis
Place of Publication	Cham
Publisher	Springer, Cham
Pages	48-69
Number of pages	22
ISBN (Electronic)	9783319663326
ISBN (Print)	9783319663319
DOIs	https://doi.org/10.1007/978-3-319-66332-6_3
Publication status	Published - 2017
Event	International Symposium on Research in Attacks, Intrusions and Defenses - Georgia Tech Hotel and Conference Center , Atlanta, United States Duration: 18 Sept 2017 → 20 Sept 2017 https://www.raid2017.org/

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	10453
ISSN (Print)	0302-9743

Conference

Conference	International Symposium on Research in Attacks, Intrusions and Defenses
Abbreviated title	(RAID)
Country/Territory	United States
City	Atlanta
Period	18/09/17 → 20/09/17
Internet address	https://www.raid2017.org/

Keywords

Fitness trackers
Reverse engineering
Spoofing
Fitbit

Access to Document

10.1007/978-3-319-66332-6_3

Fereidooni_2017_Breaking-Fitness-Records_AAM
Copyright © Springer International Publishing AG 2017. This work has been made available online in accordance with publisher policies or with permission. Permission for further reuse of this content should be sought from the publisher or the rights holder. This is the author created accepted manuscript following peer review and may differ slightly from the final published version. The final published version of this work is available at https://doi.org/10.1007/978-3-319-66332-6_3.
Accepted author manuscript, 3.52 MB

Cite this

Fereidooni, H., Classen, J., Spink, T., Patras, P., Miettinen, M., Sadeghi, A.-R., Hollick, M., & Conti, M. (2017). Breaking fitness records without moving: reverse engineering and spoofing fitbit. In M. Dacier, M. Bailey, M. Polychronakis, & M. Antonakakis (Eds.), Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings (pp. 48-69). (Lecture Notes in Computer Science; Vol. 10453). Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_3

Fereidooni, Hossein ; Classen, Jiska ; Spink, Tom et al. / Breaking fitness records without moving : reverse engineering and spoofing fitbit. Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings. editor / Marc Dacier ; Michael Bailey ; Michalis Polychronakis ; Manos Antonakakis. Cham : Springer, Cham, 2017. pp. 48-69 (Lecture Notes in Computer Science).

@inproceedings{488ee7d568fb404e915294a7be56071e,

title = "Breaking fitness records without moving: reverse engineering and spoofing fitbit",

abstract = "Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors' cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on these devices. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.",

keywords = "Fitness trackers, Reverse engineering, Spoofing, Fitbit",

author = "Hossein Fereidooni and Jiska Classen and Tom Spink and Paul Patras and Markus Miettinen and Ahmad-Reza Sadeghi and Matthias Hollick and Mauro Conti",

note = "Funding: Hossein Fereidooni is supported by the Deutsche Akademische Austauschdienst (DAAD). Mauro Conti is supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061) and IT-CNR/Taiwan-MOST 2016-17 “Verifiable Data Structure Streaming”. This work has been co-funded by the DFG as part of projects S1 and S2 within the CRC 1119 CROSSING, and by the BMBF within CRISP. Paul Patras has been partially supported by the Scottish Informatics and Computer Science Alliance (SICSA) through a PECE grant.; International Symposium on Research in Attacks, Intrusions and Defenses, (RAID) ; Conference date: 18-09-2017 Through 20-09-2017",

year = "2017",

doi = "10.1007/978-3-319-66332-6_3",

language = "English",

isbn = "9783319663319",

series = "Lecture Notes in Computer Science",

publisher = "Springer, Cham",

pages = "48--69",

editor = "Marc Dacier and Michael Bailey and Michalis Polychronakis and Manos Antonakakis",

booktitle = "Research in Attacks, Intrusions, and Defenses",

url = "https://www.raid2017.org/",

}

Fereidooni, H, Classen, J, Spink, T, Patras, P, Miettinen, M, Sadeghi, A-R, Hollick, M & Conti, M 2017, Breaking fitness records without moving: reverse engineering and spoofing fitbit. in M Dacier, M Bailey, M Polychronakis & M Antonakakis (eds), Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings. Lecture Notes in Computer Science, vol. 10453, Springer, Cham, Cham, pp. 48-69, International Symposium on Research in Attacks, Intrusions and Defenses, Atlanta, Georgia, United States, 18/09/17. https://doi.org/10.1007/978-3-319-66332-6_3

Breaking fitness records without moving: reverse engineering and spoofing fitbit. / Fereidooni, Hossein; Classen, Jiska; Spink, Tom et al.
Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings. ed. / Marc Dacier; Michael Bailey; Michalis Polychronakis; Manos Antonakakis. Cham: Springer, Cham, 2017. p. 48-69 (Lecture Notes in Computer Science; Vol. 10453).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Breaking fitness records without moving

T2 - International Symposium on Research in Attacks, Intrusions and Defenses

AU - Fereidooni, Hossein

AU - Classen, Jiska

AU - Spink, Tom

AU - Patras, Paul

AU - Miettinen, Markus

AU - Sadeghi, Ahmad-Reza

AU - Hollick, Matthias

AU - Conti, Mauro

N1 - Funding: Hossein Fereidooni is supported by the Deutsche Akademische Austauschdienst (DAAD). Mauro Conti is supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061) and IT-CNR/Taiwan-MOST 2016-17 “Verifiable Data Structure Streaming”. This work has been co-funded by the DFG as part of projects S1 and S2 within the CRC 1119 CROSSING, and by the BMBF within CRISP. Paul Patras has been partially supported by the Scottish Informatics and Computer Science Alliance (SICSA) through a PECE grant.

PY - 2017

Y1 - 2017

N2 - Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors' cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on these devices. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.

AB - Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors' cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on these devices. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.

KW - Fitness trackers

KW - Reverse engineering

KW - Spoofing

KW - Fitbit

U2 - 10.1007/978-3-319-66332-6_3

DO - 10.1007/978-3-319-66332-6_3

M3 - Conference contribution

SN - 9783319663319

T3 - Lecture Notes in Computer Science

SP - 48

EP - 69

BT - Research in Attacks, Intrusions, and Defenses

A2 - Dacier, Marc

A2 - Bailey, Michael

A2 - Polychronakis, Michalis

A2 - Antonakakis, Manos

PB - Springer, Cham

CY - Cham

Y2 - 18 September 2017 through 20 September 2017

ER -

Fereidooni H, Classen J, Spink T, Patras P, Miettinen M, Sadeghi AR et al. Breaking fitness records without moving: reverse engineering and spoofing fitbit. In Dacier M, Bailey M, Polychronakis M, Antonakakis M, editors, Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings. Cham: Springer, Cham. 2017. p. 48-69. (Lecture Notes in Computer Science). Epub 2017 Oct 12. doi: 10.1007/978-3-319-66332-6_3

Breaking fitness records without moving: reverse engineering and spoofing fitbit

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this