we show that Fitbit is vulnerable to a wide
range of attacks. In order to expose Fitbit’s vulnerabilities, in a
first contribution, we have reverse engineered the semantics of
tracker memory banks, the command types and the tracker-to social
network communication protocol. In a second contribution,
we have built FitBite, a suite of tools that exploit Fitbit’s
vulnerability to a wide range of attacks. In a third contribution,
we propose FitLock, a lightweight extension that uses efficient
cryptographic tools to secure the Fitbit protocol and show
that FitLock prevents the FitBite attacks.
2. Motivation
Background & System Model
Reverse Engineering
Fitbit Communication Protocol
FitBite: Attacking Fitbit
FitLock: Protecting Fitbit
Analysis
Experiments
3. Emergence of social sensor networks (SSN)
SSN- source of significant privacy and security issues
Health insurance companies are moving toward
providing discounts to customers that use trackers to
prove a healthy lifestyle [1].
4.
5. The tracker mainly consists of four IC chips:
(i) a MMA7341L 3-axis MEMS accelerometer,
(ii) a MSP430F2618 low power TI MCU consisting of 92 KB
of flash and 96 KB of RAM,
(iii) a nRF24API 2.4 GHz RF chip supporting the ANT
protocol (1 Mbits/sec, 15 ft transmission range),
(iv) a MEMS altimeter to count the number of floors climbed.
6. The base: a bridge between trackers and the online social network.
Trackers communicate to bases over ANT
ANT is 2.4 GHz bidirectional wireless Personal Area Network
(PAN) communications technology optimized for transferring low-
data rate, low-latency data between multiple ANT-enabled devices.
7. Two types of attackers:
(i) External attackers
(ii) Insiders
Our assumption: Fitbit service (e.g. the webserver) does not
collude with attackers.
8. Relied on information from libfitbit [6] for open source health
hardware access.
Used Service Logs which is stored in cleartext files to understand
the functionality of Fitbit.
Implemented a USB based filter Driver that separately logs the
data flowing to and from the base.
9. Memory Banks
Two types: Read banks and Write banks.
During the upload session, the webserver reads data from 6 memory
banks, writes on 2 banks and clears data from 5 banks.
Read bank #1: stores the daily user fitness records.
Write bank #0 stores 64 bytes concerning the device settings as
specified on the user’s Fitbit account.
Write bank #1 stores 16 bytes that contain the daily user fitness records
10. Opcodes and Responses
The communication is embedded in XML blocks that contain base64
encoded opcodes – commands for the tracker.
Opcodes are 7 bytes long.
Retrieve device information (TRQ-REQ): opcode [0x24, 000000].
Read/write tracker memory (READ-TRQ): Read opcode [0x22,
index, 00000] and Write opcode [0x23, index, datalen,0000].
Erase memory: (ERASE): opcode [0x25, index, t, 0].
Successful Response: opcode [0x41, 000000].
13. Two modules: The Base module and the tracker module.
The Base Module (BM) is used to retrieve data from the
tracker, inject false values and upload them into the account of
the corresponding user on the webserver.
The Tracker Module (TM) is used to read and write the
tracker data.
20. Claim #1: Without physical access to the tracker, an attacker
cannot hijack the tracker during the BindTrackerUser
procedure.
Claim#2: FitLock prevents Battery Depletion attack.
22. (a) (b)
Fig:(a) Encryption time overhead on Xperia. (b) Decryption time
overhead on webserver (Dell laptop).
23. FitLock adds an overhead of 37ms, accounting for 2.4.% of Fitbit’s
time.
24. In current work, we
Studied security and privacy issues of Fitbit.
Developed FitBite to launch both passive and active attacks on
Fitbit.
Proposed FitLock, a Fitbit extension that defends against FitBite.
Implemented FitLock and shown that FitLock introduces a
negligible end-to-end overhead on Fitibit (2.4%).
25. [1] Cotton Delo. Insurance Giant WellPoint Commits to Facebook With Fitness
Tracker. AdAge digital, 2012.
[2] FitBite and FitLock: Attacks and defenses on Fitbit Tracker.
http://users.cis.fiu.edu/~mrahm004/fitlock.
[3] Ant message protocol and usage.
http://www.sparkfun.com/datasheets/Wireless/Nordic/ANT-UserGuide.pdf.
[4] Fitbit. http://fitbit.com/.
[5] Earndit: We reward you for exercising. http://earndit.com/.
[6] OpenYou libfitbit. https://github.com/openyou/libfitbit/