Skip to main content
SpringerLink
Log in

Breaking Fitness Records Without Moving: Reverse Engineering and Spoofing Fitbit

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10453))

Abstract

Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors’ cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on the devices we analyze. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The source code of our plug-in is available at https://seemoo.de/fitbit-wireshark.

  2. 2.

    A Non-standard for transmission of IP Data-grams over Serial Lines: SLIP.

  3. 3.

    http://www.st.com/en/embedded-software/stsw-link004.html.

  4. 4.

    See https://www.thedigitalstandard.org.

  5. 5.

    During discussions we had with Fitbit, the company stressed that models launched after 2015 consistently enforce encryption in the communications between the tracker and server.

References

  1. Forbes. Wearable tech market to be worth $34 billion by 2020, February 2016. https://www.forbes.com/sites/paullamkin/2016/02/17/wearable-tech-market-to-be-worth-34-billion-by-2020

  2. International Data Corporation. Worldwide quarterly wearable device tracker, March 2017. https://www.idc.com/tracker/showproductinfo.jsp?prod_id=962

  3. Mashable. Husband learns wife is pregnant from her Fitbit data, February 2016. http://mashable.com/2016/02/10/fitbit-pregnant/

  4. The Wall Street Journal. Prosecutors say Fitbit device exposed fibbing in rape case, April 2016. http://blogs.wsj.com/law/2016/04/21/prosecutors-say-fitbit-device-exposed-fibbing-in-rape-case/

  5. The Guardian. Court sets legal precedent with evidence from Fitbit health tracker, November 2014. https://www.theguardian.com/technology/2014/nov/18/court-accepts-data-fitbit-health-tracker

  6. VitalityHealth. https://www.vitality.co.uk/rewards/partners/activity-tracking/

  7. AchieveMint. https://www.achievemint.com

  8. StepBet. https://www.stepbet.com/

  9. Rahman, M., Carbunar, B., Banik, M.: Fit and vulnerable: attacks and defenses for a health monitoring device. In: Proceedings of the Privacy Enhancing Technologies Symposium (PETS), Bloomington, IN, USA (2013)

    Google Scholar 

  10. Cyr, B., Horn, W., Miao, D., Specter, M.: Security Analysis of Wearable Fitness Devices (Fitbit) (2014). https://courses.csail.mit.edu/6.857/2014/files/17-cyrbritt-webbhorn-specter-dmiao-hacking-fitbit.pdf

  11. Clausing, E., Schiefer, M., Morgenstern, M.: AV TEST Analysis of Fitbit Vulnerabilities (2016). https://www.av-test.org/fileadmin/pdf/avtest_2016-04_fitbit_vulnerabilities.pdf

  12. Schellevis, M., Jacobs, B., Meijer, C.: Security/privacy of wearable fitness tracking IoT devices. Radboud niversity. Bachelor thesis: Getting access to your own Fitbit data, August 2016

    Google Scholar 

  13. Accenture. Digital trust in the IoT era (2015)

    Google Scholar 

  14. PwC 2016: Use of wearables in the workplace is halted by lack of trust. http://www.pwc.co.uk/who-we-are/regional-sites/northern-ireland/press-releases/use-of-wearables-in-the-workplace-is-halted-by-lack-of-trust-pwc-research.html

  15. Fereidooni, H., Frassetto, T., Miettinen, M., Sadeghi, A.-R., Conti, M.: Fitness Trackers: Fit for health but unfit for security and privacy. In: Proceedings of the IEEE International Workshop on Safe, Energy-Aware, & Reliable Connected Health (CHASE workshop: SEARCH 2017), in press, Philadelphia, Pennsylvania, USA, July 17–19 (2017)

    Google Scholar 

  16. Galileo project. https://bitbucket.org/benallard/galileo/

  17. Wireshark network protocol analyzer. https://www.wireshark.org/

  18. Hilts, A., Parsons, C., Knockel, J.: Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security. Open Effect Report (2016). https://openeffect.ca/reports/Every_Step_You_Fake.pdf

  19. Clausing, E., Schiefer, M., Morgenstern, M.: Internet of Things: Security Evaluation of nine Fitness Trackers. AV TEST, The Independent IT-Security institute, Magdeburg, Germany (2015)

    Google Scholar 

  20. Zhou, W., Piramuthu, S.: Security/privacy of wearable fitness tracking IoT devices. In: IEEE Iberian Conference on Information Systems and Technologies (2014)

    Google Scholar 

  21. Rahman, M., Carbunar, B., Topkara, U.: Secure management of low power fitness trackers. Published IEEE Trans. Mob. Comput. 15(2), 447–459 (2016)

    Article  Google Scholar 

Download references

Acknowledgments

Hossein Fereidooni is supported by the Deutsche Akademische Austauschdienst (DAAD). Mauro Conti is supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061) and IT-CNR/Taiwan-MOST 2016-17 “Verifiable Data Structure Streaming”. This work has been co-funded by the DFG as part of projects S1 and S2 within the CRC 1119 CROSSING, and by the BMBF within CRISP. Paul Patras has been partially supported by the Scottish Informatics and Computer Science Alliance (SICSA) through a PECE grant.

We thank the Fitbit Security Team for their professional collaboration with us, and their availability to discuss our findings and address the vulnerabilities we identified.

Author information

Authors and Affiliations

  1. University of Padua, Padua, Italy

    Hossein Fereidooni & Mauro Conti

  2. Technische Universität Darmstadt, Darmstadt, Germany

    Jiska Classen, Markus Miettinen, Ahmad-Reza Sadeghi & Matthias Hollick

  3. University of Edinburgh, Edinburgh, UK

    Tom Spink & Paul Patras

Authors
  1. Hossein Fereidooni
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jiska Classen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tom Spink
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Paul Patras
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Markus Miettinen
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Matthias Hollick
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hossein Fereidooni .

Editor information

Editors and Affiliations

  1. Qatar Computing Research Institute, Doha, Qatar

    Marc Dacier

  2. University of Illinois at Urbana Champaign, Champaign, Illinois, USA

    Michael Bailey

  3. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  4. Georgia Institute of Technology, Georgia, USA

    Manos Antonakakis

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (txt 1 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Fereidooni, H. et al. (2017). Breaking Fitness Records Without Moving: Reverse Engineering and Spoofing Fitbit. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66332-6_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66331-9

  • Online ISBN: 978-3-319-66332-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation