Breaking Fitness Records without Moving: Reverse Engineering and Spoofing Fitbit

摘要

Tens of millions of wearable fitness trackers are shipped yearly to consumerswho routinely collect information about their exercising patterns. Smartphonespush this health-related data to vendors' cloud platforms, enabling users toanalyze summary statistics on-line and adjust their habits. Third-partiesincluding health insurance providers now offer discounts and financial rewardsin exchange for such private information and evidence of healthy lifestyles.Given the associated monetary value, the authenticity and correctness of theactivity data collected becomes imperative. In this paper, we provide anin-depth security analysis of the operation of fitness trackers commercializedby Fitbit, the wearables market leader. We reveal an intricate security throughobscurity approach implemented by the user activity synchronization protocolrunning on the devices we analyze. Although non-trivial to interpret, wereverse engineer the message semantics, demonstrate how falsified user activityreports can be injected, and argue that based on our discoveries, such attackscan be performed at scale to obtain financial gains. We further document ahardware attack vector that enables circumvention of the end-to-end protocolencryption present in the latest Fitbit firmware, leading to the spoofing ofvalid encrypted fitness data. Finally, we give guidelines for avoiding similarvulnerabilities in future system designs.