we show that Fitbit is vulnerable to a wide range of attacks. In order to expose Fitbit’s vulnerabilities, in a first contribution, we have reverse engineered the semantics of tracker memory banks, the command types and the tracker-to social network communication protocol. In a second contribution, we have built FitBite, a suite of tools that exploit Fitbit’s vulnerability to a wide range of attacks. In a third contribution, we propose FitLock, a lightweight extension that uses efficient cryptographic tools to secure the Fitbit protocol and show that FitLock prevents the FitBite attacks.

1. Mahmudur Rahman, Bogdan Carbunar, Madhusudan Banik
HotPETs`13

2.  Motivation
 Background & System Model
 Reverse Engineering
 Fitbit Communication Protocol
 FitBite: Attacking Fitbit
 FitLock: Protecting Fitbit
 Analysis
 Experiments

3.  Emergence of social sensor networks (SSN)
 SSN- source of significant privacy and security issues
 Health insurance companies are moving toward
providing discounts to customers that use trackers to
prove a healthy lifestyle [1].

5. The tracker mainly consists of four IC chips:
 (i) a MMA7341L 3-axis MEMS accelerometer,
 (ii) a MSP430F2618 low power TI MCU consisting of 92 KB
of flash and 96 KB of RAM,
 (iii) a nRF24API 2.4 GHz RF chip supporting the ANT
protocol (1 Mbits/sec, 15 ft transmission range),
 (iv) a MEMS altimeter to count the number of floors climbed.

6.  The base: a bridge between trackers and the online social network.
 Trackers communicate to bases over ANT
 ANT is 2.4 GHz bidirectional wireless Personal Area Network
(PAN) communications technology optimized for transferring low-
data rate, low-latency data between multiple ANT-enabled devices.

7.  Two types of attackers:
(i) External attackers
(ii) Insiders
 Our assumption: Fitbit service (e.g. the webserver) does not
collude with attackers.

8.  Relied on information from libfitbit [6] for open source health
hardware access.
 Used Service Logs which is stored in cleartext files to understand
the functionality of Fitbit.
 Implemented a USB based filter Driver that separately logs the
data flowing to and from the base.

9. Memory Banks
 Two types: Read banks and Write banks.
 During the upload session, the webserver reads data from 6 memory
banks, writes on 2 banks and clears data from 5 banks.
 Read bank #1: stores the daily user fitness records.
 Write bank #0 stores 64 bytes concerning the device settings as
specified on the user’s Fitbit account.
 Write bank #1 stores 16 bytes that contain the daily user fitness records

10. Opcodes and Responses
 The communication is embedded in XML blocks that contain base64
encoded opcodes – commands for the tracker.
 Opcodes are 7 bytes long.
 Retrieve device information (TRQ-REQ): opcode [0x24, 000000].
 Read/write tracker memory (READ-TRQ): Read opcode [0x22,
index, 00000] and Write opcode [0x23, index, datalen,0000].
 Erase memory: (ERASE): opcode [0x25, index, t, 0].
 Successful Response: opcode [0x41, 000000].

11. Tracker Base Fitbit WebServer
1a. [SEND, Beacon]
1b. [PING, Tracker],[ESTABLISH, Link]
2. [BS-INFO, Client id, Platform data]
3. [TRQ-REQ, tracker id, opcode]
4a. [TRQ-REQ, tracker id, opcode]
4b. [TRQ-INFO, tracker id, tracker info]
5. [READ-TRQ, tracker id, opcode]
6a. [READ-TRQ, tracker id, opcode]
6b. [TRQ-DATA, tracker id, fitness data]
(Cont…)

12. Tracker Base Fitbit WebServer
8b. [ERASE, tracker id, opcode]
10. [CLOSE, connection]
9. [CLEAR, response]
11. [SLEEP, beacon]
7a. [WRITE, tracker id, opcode]
7b. [WRITE, tracker id, opcode]
7c. [WRITE, Data]
8a. [ERASE, tracker id, opcode]
8c. [ERASE, Data]

13.  Two modules: The Base module and the tracker module.
 The Base Module (BM) is used to retrieve data from the
tracker, inject false values and upload them into the account of
the corresponding user on the webserver.
 The Tracker Module (TM) is used to read and write the
tracker data.

14.  Tracker Private Data Capture (TPDC).
 Tracker Injection (TI) Attack.

15.  User Account Injection (UAI) Attack.

16.  Free Badges
 Free Financial Awards
Earndit points and available gift cards

17. Battery drain for three operation modes
Battery Depletion Attack

18. The BindTrackerUser protocol

19. UploadData Protocol
 REQ ∈ {TRQ-REQ, READ-TRQ, WRITE, ERASE, CLOSE}
 RESP ∈ {TRQ-INFO, TRQ-DATA, CLEAR}
TrackerFitbit WebServer
idT, EskT (REQ, Swst, Cws)
idT, EskT (RESP, Swst, CT )

20.  Claim #1: Without physical access to the tracker, an attacker
cannot hijack the tracker during the BindTrackerUser
procedure.
 Claim#2: FitLock prevents Battery Depletion attack.

21. Snapshot of Testbed for FitLock

22. (a) (b)
Fig:(a) Encryption time overhead on Xperia. (b) Decryption time
overhead on webserver (Dell laptop).

23.  FitLock adds an overhead of 37ms, accounting for 2.4.% of Fitbit’s
time.

24. In current work, we
 Studied security and privacy issues of Fitbit.
 Developed FitBite to launch both passive and active attacks on
Fitbit.
 Proposed FitLock, a Fitbit extension that defends against FitBite.
 Implemented FitLock and shown that FitLock introduces a
negligible end-to-end overhead on Fitibit (2.4%).

25.  [1] Cotton Delo. Insurance Giant WellPoint Commits to Facebook With Fitness
Tracker. AdAge digital, 2012.
 [2] FitBite and FitLock: Attacks and defenses on Fitbit Tracker.
http://users.cis.fiu.edu/~mrahm004/fitlock.
 [3] Ant message protocol and usage.
http://www.sparkfun.com/datasheets/Wireless/Nordic/ANT-UserGuide.pdf.
 [4] Fitbit. http://fitbit.com/.
 [5] Earndit: We reward you for exercising. http://earndit.com/.
 [6] OpenYou libfitbit. https://github.com/openyou/libfitbit/