Conference PaperPDF Available

Breaking Fitness Records Without Moving: Reverse Engineering and Spoofing Fitbit

Authors:
Hossein Fereidooni at Technische Universität Darmstadt
Hossein Fereidooni
Jiska Classen at Technische Universität Darmstadt
Jiska Classen
Tom Spink
Tom Spink
Tom Spink
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Paul Patras at The University of Edinburgh
Paul Patras
Show all 8 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors’ cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on the devices we analyze. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.
Figures - uploaded by Paul Patras
Author content
All figure content in this area was uploaded by Paul Patras
Content may be subject to copyright.
Content uploaded by Paul Patras
Author content
All content in this area was uploaded by Paul Patras on Jul 28, 2018
Content may be subject to copyright.
1 2 3
3 2
2 2 1
1
2
3
522 720 mm
0.52 km
st
nd
28 02 00 00 00 00 00 00 00 00
be 33 18 30 14 07
07 40 07 40
fe 03 00 00 00 00 00 00 00 00 14 14
73 10 14 60
00 00 00 00
d7 02 bb 04
f1 2c 52 09 1b 17 00 00 00 00 00 00 00 ff 48 00
20 20 20 20 20 20 20 20 20 20 48 45 4c 4c 4f 20 20 20 20 20
48 4f 57 44 59 20 20 20 20 20 57 4f 4f 54 21 20 20 20 20 20
29 00 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 04 00 c0 db dc dd
Message Type Device Type Encrypted Packet?
Sequence Number
Firmware
Version
Charge (mV)
Walking
Stide (mm)
Running
Stide (mm)
Charge (%)
Greetings/
Cheering
Delimiter
c0 db dc dd
58 aa be 20
81
00 00 00 ff
00 01 00 ff
00 02 00 ff
00 03 00 ff
...
00 59 00 c0
Timestamp
Records
Start
Step count
Record
Terminators
Section
Terminator
Step Count
Records
30 56 7b 58 64 00 10 27 00 00 80 96 98 00 00 00 00 00 00 00 c0
Section
Terminator
Active
minutes
Floors
Elevation
Distance (mm)
Total No. Steps
Calories
Timestamp
c0 cd db dc
63 f0 00 00 00 00 00 00 b5 01 00
Payload Length
Checksum
− − − −
− −
− −
∗∗ ∗ ∗∗ ∗
− −
− −
10 km
10 km
− −
16 777 215
... Finally, they recommended approaches for avoiding matching incoming vulnerabilities in system techniques. They made use of several tools in that experiment such as mitmproxy on Linux, Wireshark, STN32 ST-LINK Utility, a digital multimeter, a soldering iron, thin gauge wire and flux, tweezers, a soldering heat gun, the ST-LINK/v2 in a circuit debugger/ programmer, and the STM32 ST-LINK utility [20]. ...
Investigating data storage security and retrieval for Fitbit wearable devices
Article
Full-text available
  • May 2024
Purpose: The use of wearable devices to monitor aspects of personal health is increasing. The Fitbit is an example of a popular device used for this purpose. It is unknown whether users’ privacy (i.e. sensitive data collected from wearable devices) would be leaked via unauthorized access. So, this investigation will answer the following questions; are the data transmissions protected against unauthorised access or modification? what data are transmitted between the device and the server? how much data can be collected by unauthorized access? Method: This paper describes an investigation into data access in the Fitbit Blaze and, specifically, whether this is possible without connecting to the Fitbit server. A Man-In-The-Middle (MITM) attack was used in this investigation. Result: In this experiment, the firmware image, transferred when the device connects to the Fitbit server, is first captured and analysed to obtain data. This was done to attempt to identify the encryption method and obtain the unique device MAC address. Secondly, some fitness data, namely, the authentication key, the cryptographic key and the Nonce, were extracted from the Fitbit application. We attempted to connect the Fitbit Blaze device and the Fitbit application directly without connecting via the Fitbit server. We also attempted direct access to the Fitbit Blaze using a charger cable. In addition, Fitbit Java files were extracted from the Fitbit application. Conclusion: Finally, the outcomes of this investigation are compared with investigations into other Fitbit devices in the previous research.
View
... In some cases, capturing and analyzing the network traffic will help to determine update intervals. [43] The assessor might be able to capture parts of or the complete firmware and source code. ...
A Methodology for Assessing Security in IoT Healthcare Devices
Thesis
  • Oct 2020
Internet-of-things (IoT) devices can improve the efficiency and availability of medical examinations by great lengths. Although IoT healthcare devices often store or process sensitive information or perform operations that could seriously harm a patient if tampered with, the security, safety and privacy in medical devices often lags behind the modern state-of-the-art. While the results of security breaches can be financially devastating or harmful to health, these issues are weighed against the positive effects the usage of medical devices bring forth. To contribute to the development of secure and safe medical devices, this thesis provides an overview of technical background information of medical devices. This thesis will introduce a novel methodology for the assessment of security, safety and privacy in IoT healthcare devices by describing crucial steps in the assessment of IoT devices as can be found in existing approaches for security testing and by an adaption to the characteristics of medical devices. To evaluate our methodology we conducted a study with five seasoned security testers. The study showed that the methodology provides a stable framework for security assessments of IoT healthcare devices and that is able to successfully guide testers in their practical work. The study revealed that methodologies polarize security testers and that the participants did not know any methodology with outstanding usability. The participants expressed their wish to be better-informed when testing products of the critical infrastructure, while stating that the proposed methodology contained unnecessary details. To handle the discrepancy between the vast amount of information a security tester needs and his wish for information being presented in small chunks, security researchers need to find a way to provide centralized and authoritative information and should consider developing dynamic strategies to address the dynamic problem of securing devices in times of ever faster technological progress and changing regulations.
View
... Numerous nodes are vulnerable to this kind of attack due to the security flaws and weak authentication mechanisms. For instance, the lack of encryption of some devices enables attackers to seamlessly hijack communications and capture private data such as session identifiers, passwords and health data [291,293,303,305,313,[336][337][338]. Of further concern, studies HAVE also discovered MitM-enabling vulnerabilities in protocols integrated in implantable medical devices [339,340]. ...
Sensors for Context-Aware Smart Healthcare: A Security Perspective
Article
Full-text available
  • Oct 2021
  • SENSORS-BASEL
The advances in the miniaturisation of electronic devices and the deployment of cheaper and faster data networks have propelled environments augmented with contextual and real-time information, such as smart homes and smart cities. These context-aware environments have opened the door to numerous opportunities for providing added-value, accurate and personalised services to citizens. In particular, smart healthcare, regarded as the natural evolution of electronic health and mobile health, contributes to enhance medical services and people’s welfare, while shortening waiting times and decreasing healthcare expenditure. However, the large number, variety and complexity of devices and systems involved in smart health systems involve a number of challenging considerations to be considered, particularly from security and privacy perspectives. To this aim, this article provides a thorough technical review on the deployment of secure smart health services, ranging from the very collection of sensors data (either related to the medical conditions of individuals or to their immediate context), the transmission of these data through wireless communication networks, to the final storage and analysis of such information in the appropriate health information systems. As a result, we provide practitioners with a comprehensive overview of the existing vulnerabilities and solutions in the technical side of smart healthcare.
View
... Weak encryption may occur due to limitations in the software, hardware, power availability, or weak programming practices, which may expose a wearable to attacks. In the past, research has shown that manufacturers sell consumer wearables with a lack of encryption, so can be attacked either through passively eavesdropping Bluetooth connections, through man in the middle (MITM) attacks, or by failing to encrypt data stored locally [172,[176][177][178][179]. These attacks can violate user privacy, impersonate a user, or fabricate data submitted to a remote service. ...
Recent Advances in Wearable Sensing Technologies
Article
Full-text available
  • Oct 2021
  • SENSORS-BASEL
Wearable sensing technologies are having a worldwide impact on the creation of novel business opportunities and application services that are benefiting the common citizen. By using these technologies, people have transformed the way they live, interact with each other and their surroundings, their daily routines, and how they monitor their health conditions. We review recent advances in the area of wearable sensing technologies, focusing on aspects such as sensor technologies, communication infrastructures, service infrastructures, security, and privacy. We also review the use of consumer wearables during the coronavirus disease 19 (COVID-19) pandemic caused by the severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), and we discuss open challenges that must be addressed to further improve the efficacy of wearable sensing systems in the future.
View
Wearable Activity Trackers: A Survey on Utility, Privacy, and Security
Article
  • Feb 2024
Over the past decade, wearable activity trackers (WATs) have become increasingly popular. However, despite many research studies in different fields (such as psychology, health, and design), few have sought to jointly examine the critical aspects of utility (i.e., benefits brought by these devices), privacy, and security (i.e., risks and vulnerabilities associated with them). To fill this gap, we reviewed 236 studies that researched the benefits of using WATs, the implications for the privacy of users of WATs, and the security vulnerabilities of these devices. Our survey revealed that these devices expose users to several threats. For example, WAT data can be mined to infer private information, such as the personality traits of the user. Whereas many works propose empirical findings about users’ privacy perceptions and their behaviors in relation to privacy, we found relatively few studies researching technologies to better protect users’ privacy with these devices. This survey contributes to systematizing knowledge on the utility, privacy, and security of WATs, shedding light on the state-of-the-art approaches with these devices, and discussing open research opportunities.
View
View
Unsupervised Classification Approach for Anomaly Detection in Big Data Streams
Article
  • Jun 2021
Detection of anomalies is the identification of unusual items, events or observations that raise suspicions by significantly differing from the majority of the data. And it is a technique used to identify unusual patterns, called outliers, which do not conform to expected behavior. For several applications such as financial and communication services, public health, and climate studies, detection of anomalies is important. In this paper, we are proposing a two-step methodology for classification of anomalies in big data streams. Initially, the class labels for the data stream are generated by using dense stream algorithm predicted class labels are then used to classify and train and classify gated recurrent unit (GRU)-based recurrent neural networks. In our proposed algorithm, dense stream clustering algorithm needs to be performed periodically when there is drastic change in data. GRU networks can then take the data to effectively classify the anomalies.
View
COVID-19 Patient Health Management System Using IoT
Chapter
  • Jan 2021
In the pandemic situations, the physicians will never have the direct contact with the patients. Hence, a remote health management device is developed in this paper using ESP32 and ThingSpeak cloud application. If a person is suspected of having COVID-19, he has to contact primary health centre of his nearest place where the developed device is already been located. The person has to place the above device in contact with his body to measure temperature, heartbeat, oxygen level and cough. The same device will have the feature to measure room temperature and humidity. Various sensors are used to detect the above parameters. The sensed values will be taken up by ESP32. The data from ESP32 is stored in cloud through ThingSpeak application. The physician can take over the details from cloud and diagnose whether the person is suffering from COVID-19 or not. In this paper, the diagnostic information followed by the physician is the body temperature which is >37.8 °C, heartbeat is >100, oxygen level is <95 and vibration of cough (dry or wet) is >116 db. If these measures are satisfied then the buzzer sounds which alerts the consulting physician.
View
Efficient Design for Square RFID Tag
Chapter
  • Jan 2021
Radiofrequency Identification (RFID) is an automated technology for communication between two objects that are reader and tag. The fundamental challenge in the chipless RFID tag is to encode the data without a chip. This problem is solved by the use of a resonator by the utilization electromagnetic properties to encode the bits of data. The structure conducts deep absorption of the impinging signal at multiple frequencies associated with the resonator loops. This paper presents an enhancement for many designs for chip less tags with good performance. The proposed tags did with two types of designing, first; tag with performance of the square tag to encode 8 data bits, Rogers RO4003C substrate has been used that spans 12 x 12 mm2, that shows the possibility of obtaining good data capacity with a small area. The second; tag with performance of 7 concentric circular rings overlapped with different metals, in addition to a solid circular situated at the inside rings, where this tag was designed to be good with mass production techniques, with low-cost materials for substrate has been used, this tag called Overlapped Metals Tag (OMT).
View
Validation and Feasibility of Differentially Private Local Aggregation of Real-Time Data Streams from Resource-Constrained Healthcare IoT Edge Devices
Chapter
  • Jan 2021
Differential privacy (DP) techniques provide important mathematical guarantees of privacy and in particular local DP mechanisms used to protect individual privacy without needing to trust any external entity. However, validation of these techniques is usually carried out using static datasets since IoT devices generating real-time streaming data pose additional difficulties. Hence, current work aims to validate the effectiveness of one such scheme, Privacy-Preserving Endpoint Aggregation (PPEA), on real-time private data obtained from resource-constrained edge devices by measuring utility metrics for the average operation aggregate function. This paper aims to study the feasibility of implementing PPEA for periodic real-time heart rate collection from fitness trackers, which are pervasive IoT devices within the personal healthcare domain capable of recording individual's private data, by considering factors like memory consumption, execution time, and power consumption. We address challenges concerning resource limitations on edge devices regarding lacking out-of-the-box provisions for implementing randomization techniques to achieve DP on streaming data. © 2021, The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
View
View
Fit and Vulnerable: Attacks and Defenses for a Health Monitoring Device
Conference Paper
Full-text available
  • May 2013
The fusion of social networks and wearable sensors is becoming increasingly popular, with systems like Fitbit automating the process of reporting and sharing user fitness data. In this paper we show that while compelling, the integration of health data into social networks is fraught with privacy and security vulnerabilities. Case in point, by reverse engineering the communication protocol, storage details and operation codes, we identified several vulnerabilities in Fitbit. We have built FitBite, a suite of tools that exploit these vulnerabilities to launch a wide range of attacks against Fitbit. Besides eavesdropping, injection and denial of service, several attacks can lead to rewards and financial gains. We have built FitLock, a lightweight defense system that protects Fitbit while imposing only a small overhead. Our experiments on BeagleBoard and Xperia devices show that FitLock's end-to-end overhead over Fitbit is only 2.4%.
View
Secure Management of Low Power Fitness Trackers
Article
Full-text available
  • Jan 2015
The increasing popular interest in personal telemetry, also called the Quantified Self or "lifelogging", has induced a popularity surge for wearable personal fitness trackers. Fitness trackers automatically collect sensor data about the user throughout the day, and integrate it into social network accounts. Solution providers have to strike a balance between many constraints, leading to a design process that often puts security in the back seat. Case in point, we reverse engineered and identified security vulnerabilities in Fitbit Ultra and Gammon Forerunner 610, two popular and representative fitness tracker products. We introduce FitBite and GarMax, tools to launch efficient attacks against Fitbit and Garmin. We devise SensCrypt, a protocol for secure data storage and communication, for use by makers of affordable and lightweight personal trackers. SensCrypt thwarts not only the attacks we introduced, but also defends against powerful JTAG Read attacks. We have built Sens.io, an Arduino Uno based tracker platform, of similar capabilities but at a fraction of the cost of current solutions. On Sens.io, SensCrypt imposes a negligible write overhead and significantly reduces the end-to-end sync overhead of Fitbit and Garmin.
View
Security/privacy of wearable fitness tracking IoT devices
Conference Paper
Full-text available
  • Jun 2014
As wearable fitness trackers gain widespread acceptance among the general population, there is a concomitant need to ensure that associated privacy and security vulnerabilities are kept to a minimum. We discuss potential vulnerabilities of these trackers, in general, and specific vulnerabilities in one such tracker - Fitbit - identified by Rahman et al. (2013) who then proposed means to address identified vulnerabilities. However, the 'fix' has its own vulnerabilities. We discuss possible means to alleviate related issues.
View
Court sets legal precedent with evidence from Fitbit health tracker
  • The Guardian
The Guardian. Court sets legal precedent with evidence from Fitbit health tracker. https://www.theguardian.com/technology/2014/nov/18/court-acceptsdata-tbit-health-tracker, November 2014.
AV TEST Analysis of Fitbit Vulnerabilities
  • Jan 2016
  • Eric Clausing
  • Michael Schiefer
  • Maik Morgenstern
Eric Clausing, Michael Schiefer, and Maik Morgenstern. AV TEST Analysis of Fitbit Vulnerabilities. Available at: https://www.av-test.org/leadmin/pdf/avtest_ 2016-04_tbit_vulnerabilities.pdf, 2016.
Security/privacy of wearable fitness tracking IoT devices. Radboud niversity. Bachelor thesis: Getting access to your own Fitbit data
  • M Schellevis
  • B Jacobs
  • C Meijer
Maarten Schellevis, Bart Jacobs,, and Carlo Meijer. Security/privacy of wearable tness tracking IoT devices. Radboud University. Bachelor thesis: Getting access to your own Fitbit data., August 2016.
Wearable tech market to be worth $34 billion by 2020
  • Forbes
Forbes. Wearable tech market to be worth $34 billion by 2020.
Husband learns wife is pregnant from her Fitbit data
  • Mashable
Mashable. Husband learns wife is pregnant from her Fitbit data. http://mashable. com/2016/02/10/tbit-pregnant/, Feb. 2016.
Security Analysis of Wearable Fitness Devices (Fitbit)
  • Jan 2014
  • Britt Cyr
  • Webb Horn
  • Daniela Miao
  • Michael Specter
Britt Cyr, Webb Horn, Daniela Miao, and Michael Specter. Security Analysis of Wearable Fitness Devices (Fitbit). https://courses.csail.mit.edu/6.857/2014/les/ 17-cyrbritt-webbhorn-specter-dmiao-hacking-tbit.pdf, 2014.