Abstract
Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors’ cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on the devices we analyze. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The source code of our plug-in is available at https://seemoo.de/fitbit-wireshark.
- 2.
A Non-standard for transmission of IP Data-grams over Serial Lines: SLIP.
- 3.
- 4.
- 5.
During discussions we had with Fitbit, the company stressed that models launched after 2015 consistently enforce encryption in the communications between the tracker and server.
References
Forbes. Wearable tech market to be worth $34 billion by 2020, February 2016. https://www.forbes.com/sites/paullamkin/2016/02/17/wearable-tech-market-to-be-worth-34-billion-by-2020
International Data Corporation. Worldwide quarterly wearable device tracker, March 2017. https://www.idc.com/tracker/showproductinfo.jsp?prod_id=962
Mashable. Husband learns wife is pregnant from her Fitbit data, February 2016. http://mashable.com/2016/02/10/fitbit-pregnant/
The Wall Street Journal. Prosecutors say Fitbit device exposed fibbing in rape case, April 2016. http://blogs.wsj.com/law/2016/04/21/prosecutors-say-fitbit-device-exposed-fibbing-in-rape-case/
The Guardian. Court sets legal precedent with evidence from Fitbit health tracker, November 2014. https://www.theguardian.com/technology/2014/nov/18/court-accepts-data-fitbit-health-tracker
VitalityHealth. https://www.vitality.co.uk/rewards/partners/activity-tracking/
AchieveMint. https://www.achievemint.com
StepBet. https://www.stepbet.com/
Rahman, M., Carbunar, B., Banik, M.: Fit and vulnerable: attacks and defenses for a health monitoring device. In: Proceedings of the Privacy Enhancing Technologies Symposium (PETS), Bloomington, IN, USA (2013)
Cyr, B., Horn, W., Miao, D., Specter, M.: Security Analysis of Wearable Fitness Devices (Fitbit) (2014). https://courses.csail.mit.edu/6.857/2014/files/17-cyrbritt-webbhorn-specter-dmiao-hacking-fitbit.pdf
Clausing, E., Schiefer, M., Morgenstern, M.: AV TEST Analysis of Fitbit Vulnerabilities (2016). https://www.av-test.org/fileadmin/pdf/avtest_2016-04_fitbit_vulnerabilities.pdf
Schellevis, M., Jacobs, B., Meijer, C.: Security/privacy of wearable fitness tracking IoT devices. Radboud niversity. Bachelor thesis: Getting access to your own Fitbit data, August 2016
Accenture. Digital trust in the IoT era (2015)
PwC 2016: Use of wearables in the workplace is halted by lack of trust. http://www.pwc.co.uk/who-we-are/regional-sites/northern-ireland/press-releases/use-of-wearables-in-the-workplace-is-halted-by-lack-of-trust-pwc-research.html
Fereidooni, H., Frassetto, T., Miettinen, M., Sadeghi, A.-R., Conti, M.: Fitness Trackers: Fit for health but unfit for security and privacy. In: Proceedings of the IEEE International Workshop on Safe, Energy-Aware, & Reliable Connected Health (CHASE workshop: SEARCH 2017), in press, Philadelphia, Pennsylvania, USA, July 17–19 (2017)
Galileo project. https://bitbucket.org/benallard/galileo/
Wireshark network protocol analyzer. https://www.wireshark.org/
Hilts, A., Parsons, C., Knockel, J.: Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security. Open Effect Report (2016). https://openeffect.ca/reports/Every_Step_You_Fake.pdf
Clausing, E., Schiefer, M., Morgenstern, M.: Internet of Things: Security Evaluation of nine Fitness Trackers. AV TEST, The Independent IT-Security institute, Magdeburg, Germany (2015)
Zhou, W., Piramuthu, S.: Security/privacy of wearable fitness tracking IoT devices. In: IEEE Iberian Conference on Information Systems and Technologies (2014)
Rahman, M., Carbunar, B., Topkara, U.: Secure management of low power fitness trackers. Published IEEE Trans. Mob. Comput. 15(2), 447–459 (2016)
Acknowledgments
Hossein Fereidooni is supported by the Deutsche Akademische Austauschdienst (DAAD). Mauro Conti is supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061) and IT-CNR/Taiwan-MOST 2016-17 “Verifiable Data Structure Streaming”. This work has been co-funded by the DFG as part of projects S1 and S2 within the CRC 1119 CROSSING, and by the BMBF within CRISP. Paul Patras has been partially supported by the Scottish Informatics and Computer Science Alliance (SICSA) through a PECE grant.
We thank the Fitbit Security Team for their professional collaboration with us, and their availability to discuss our findings and address the vulnerabilities we identified.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Fereidooni, H. et al. (2017). Breaking Fitness Records Without Moving: Reverse Engineering and Spoofing Fitbit. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-66332-6_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66331-9
Online ISBN: 978-3-319-66332-6
eBook Packages: Computer ScienceComputer Science (R0)