Anatomy of a vulnerable fitness tracking system : dissecting the fitbit cloud, app, and firmware
MetadataShow full item record
Fitbit fitness trackers record sensitive personal information, including daily step counts, heart rate profiles, and locations visited. By design, these devices gather and upload activity data to a cloud service, which provides aggregate statistics to mobile app users. The same principles govern numerous other Internet-of-Things (IoT) services that target different applications. As a market leader, Fitbit has developed perhaps the most secure wearables architecture that guards communication with end-to-end encryption. In this paper, we analyze the complete Fitbit ecosystem and, despite the brand's continuous efforts to harden its products, we demonstrate a series of vulnerabilities with potentially severe implications to user privacy and device security. We employ a repertoire of techniques encompassing protocol analysis, software decompiling, and both static and dynamic embedded code analysis, to reverse engineer previously undocumented communication semantics, the official smartphone app, and the tracker firmware. Through this interplay and in-depth analysis, we reveal how attackers can exploit the Fitbit protocol to extract private information from victims without leaving a trace, and wirelessly flash malware without user consent. We demonstrate that users can tamper with both the app and firmware to selfishly manipulate records or circumvent Fitbit's walled garden business model, making the case for an independent, user-controlled, and more secure ecosystem. Finally, based on the insights gained, we make specific design recommendations that not only can mitigate the identified vulnerabilities, but are also broadly applicable to securing future wearable system architectures.
Classen , J , Wegemer , D , Patras , P , Spink , T & Hollick , M 2018 , ' Anatomy of a vulnerable fitness tracking system : dissecting the fitbit cloud, app, and firmware ' , Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies , vol. 2 , no. 1 , 5 . https://doi.org/10.1145/3191737
Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies
Copyright © 2018 Association for Computing Machinery. This work has been made available online in accordance with publisher policies or with permission. Permission for further reuse of this content should be sought from the publisher or the rights holder. This is the author created accepted manuscript following peer review and may differ slightly from the final published version. The final published version of this work is available at https://doi.org/10.1145/3191737.
DescriptionFunding: This work has been co-funded by the DFG as part of projects S1 within the CRC 1119 CROSSING and C.1 within the RTG 2050 ”Privacy and Trust for Mobile Users”, and by the BMBF within CRISP. Paul Patras has been partially supported by the Scottish Informatics and Computer Science Alliance (SICSA) through a PECE grant.
Items in the St Andrews Research Repository are protected by copyright, with all rights reserved, unless otherwise indicated.