Files in this item
Breaking fitness records without moving : reverse engineering and spoofing fitbit
Item metadata
| dc.contributor.author | Fereidooni, Hossein | |
| dc.contributor.author | Classen, Jiska | |
| dc.contributor.author | Spink, Tom | |
| dc.contributor.author | Patras, Paul | |
| dc.contributor.author | Miettinen, Markus | |
| dc.contributor.author | Sadeghi, Ahmad-Reza | |
| dc.contributor.author | Hollick, Matthias | |
| dc.contributor.author | Conti, Mauro | |
| dc.contributor.editor | Dacier, Marc | |
| dc.contributor.editor | Bailey, Michael | |
| dc.contributor.editor | Polychronakis, Michalis | |
| dc.contributor.editor | Antonakakis, Manos | |
| dc.date.accessioned | 2021-11-11T15:30:03Z | |
| dc.date.available | 2021-11-11T15:30:03Z | |
| dc.date.issued | 2017 | |
| dc.identifier | 276650514 | |
| dc.identifier | 488ee7d5-68fb-404e-9152-94a7be56071e | |
| dc.identifier | 85032867563 | |
| dc.identifier.citation | Fereidooni , H , Classen , J , Spink , T , Patras , P , Miettinen , M , Sadeghi , A-R , Hollick , M & Conti , M 2017 , Breaking fitness records without moving : reverse engineering and spoofing fitbit . in M Dacier , M Bailey , M Polychronakis & M Antonakakis (eds) , Research in Attacks, Intrusions, and Defenses : 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings . Lecture Notes in Computer Science , vol. 10453 , Springer, Cham , Cham , pp. 48-69 , International Symposium on Research in Attacks, Intrusions and Defenses , Atlanta , Georgia , United States , 18/09/17 . https://doi.org/10.1007/978-3-319-66332-6_3 | en |
| dc.identifier.citation | conference | en |
| dc.identifier.isbn | 9783319663319 | |
| dc.identifier.isbn | 9783319663326 | |
| dc.identifier.issn | 0302-9743 | |
| dc.identifier.other | RIS: urn:BCD4F5D8BA747520C1BC256C9EF66E7F | |
| dc.identifier.other | ORCID: /0000-0002-7662-3146/work/103138174 | |
| dc.identifier.uri | https://hdl.handle.net/10023/24316 | |
| dc.description | Funding: Hossein Fereidooni is supported by the Deutsche Akademische Austauschdienst (DAAD). Mauro Conti is supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061) and IT-CNR/Taiwan-MOST 2016-17 “Verifiable Data Structure Streaming”. This work has been co-funded by the DFG as part of projects S1 and S2 within the CRC 1119 CROSSING, and by the BMBF within CRISP. Paul Patras has been partially supported by the Scottish Informatics and Computer Science Alliance (SICSA) through a PECE grant. | en |
| dc.description.abstract | Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors' cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on these devices. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs. | |
| dc.format.extent | 22 | |
| dc.format.extent | 3686735 | |
| dc.language.iso | eng | |
| dc.publisher | Springer, Cham | |
| dc.relation.ispartof | Research in Attacks, Intrusions, and Defenses | en |
| dc.relation.ispartofseries | Lecture Notes in Computer Science | en |
| dc.subject | Fitness trackers | en |
| dc.subject | Reverse engineering | en |
| dc.subject | Spoofing | en |
| dc.subject | Fitbit | en |
| dc.subject | QA75 Electronic computers. Computer science | en |
| dc.subject | RC1200 Sports Medicine | en |
| dc.subject | DAS | en |
| dc.subject.lcc | QA75 | en |
| dc.subject.lcc | RC1200 | en |
| dc.title | Breaking fitness records without moving : reverse engineering and spoofing fitbit | en |
| dc.type | Conference item | en |
| dc.contributor.institution | University of St Andrews. School of Computer Science | en |
| dc.identifier.doi | 10.1007/978-3-319-66332-6_3 |
This item appears in the following Collection(s)
Items in the St Andrews Research Repository are protected by copyright, with all rights reserved, unless otherwise indicated.