back

Doping your Fitbit

Firmware modifications faking you fitter

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:22:49
Language
English
Abstract
Security architectures for wearables are challenging. We take a deeper look into the widely-used Fitbit fitness trackers. The Fitbit ecosystem is interesting to analyze, because Fitbit employs security measures such as end-to-end encryption and authentication to protect user data (and the Fitbit business model). Even though this goes beyond security mechanisms offered by other fitness tracker vendors, reverse-engineering the trackers enables us to launch practical attacks against Fitbit. In our talk, we demonstrate new attacks including wireless malware flashing on trackers as well as “unlocking” the trackers to work independent from the Fitbit cloud.

We explain the Fitbit security architecture, including the most important communication paradigms between tracker, app, and server. Our talk focuses on the tracker itself and its wireless interfaces, nevertheless it is important to understand the roles of the other components to successfully imitate them.

Custom firmware makes fitness trackers the ultimate geek toy, including the possibility to improve security and privacy. We show how we reverse-engineered the wireless firmware flashing process, as well as setting up a Nexmon-based environment for developing custom firmware. A short demo shows how wireless flashing works, including potentials of the modified firmware.

We also release a smartphone application supporting a subset of the demonstrated attacks, including the possibility for users to extract some of their fitness tracker data without sharing it with Fitbit. This is a huge step towards privacy on wearables. Apart from the app we will also release everything necessary to patch your Fitbit firmware, enabling users to develop more secure mechanisms protecting their data.

Talk ID
8908
Event:
34c3
Day
1
Room
Saal Clarke
Start
10:45 p.m.
Duration
00:30:00
Track
Security
Type of
lecture
Speaker
jiska
DanielAW
Talk Slug & media link
34c3-8908-doping_your_fitbit

Talk & Speaker speed statistics

Very rough underestimation:
139.9 wpm
754.8 spm
While speaker(s) speak(s):
145.2 wpm
783.5 spm
136.2 wpm
721.7 spm
151.4 wpm
826.6 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
139.9 wpm
754.8 spm
firmwaretrackerencryptiondataupdateappfitbittrackersservermemoryflashthingnicebasicallymodepinauthenticationcoursemodifyexampleencryptedcredentialskeyreadoutlivejiskastepsbsldisablesmartphonedanielassociationaddressend-to-endbitcase1fitnessdependingtestingversionchunkthingssecuritycodeworksgdbserialtalkaccess
While speakers speak:
145.2 wpm
783.5 spm
firmwaretrackerencryptiondataupdateappfitbittrackersservernicememoryflashthingmodifycourseexamplepinauthenticationmodebasicallykeyreadoutstepscredentialsencryptedlivebslworksend-to-endsmartphonebitassociationaddressdisablejiskafitnesssecuritythingsserialnumbercasetestingdependingcodegdbflashingversionrebootchunk1
DanielAW:
136.2 wpm
721.7 spm
firmwareencryptionbasicallyupdatestepsmodifycourseexampletestingfitbitdatagdbstufftolddebuggingaccesstrackercaseappconnectpinsdumpmemoryflashfitnessjiskakeynexmonframeworkadapteddynamicpcbstructuredchipblecommunicationsmartphonerunslibrarylibtomcrypthelpedreverseengineeringapartpointsdebuggerfiguredpoint8ground
jiska:
151.4 wpm
826.6 spm
firmwaretrackerdataencryptionappupdateserverfitbittrackersthingniceauthenticationliveflashmemorycredentialsmodebslencryptedaddressend-to-endreadoutassociationpin1disablebitsecurityrebootchunkflexbuyflashinghardprocessactivityversionserialnumberdanielmodeldependingthingscrcworksrangecourseexamplekeysmartphone