TU Darmstadt / ULB / TUbiblio

Breaking Fitness Records without Moving: Reverse Engineering and Spoofing Fitbit

Fereidooni, Hossein ; Classen, Jiska ; Spink, Tom ; Patras, Paul ; Miettinen, Markus ; Sadeghi, Ahmad-Reza ; Hollick, Matthias ; Conti, Mauro (2017)
Breaking Fitness Records without Moving: Reverse Engineering and Spoofing Fitbit.
Atlanta, Georgia, USA
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors’ cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private infor mation and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on the devices we analyze. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2017
Autor(en): Fereidooni, Hossein ; Classen, Jiska ; Spink, Tom ; Patras, Paul ; Miettinen, Markus ; Sadeghi, Ahmad-Reza ; Hollick, Matthias ; Conti, Mauro
Art des Eintrags: Bibliographie
Titel: Breaking Fitness Records without Moving: Reverse Engineering and Spoofing Fitbit
Sprache: Deutsch
Publikationsjahr: September 2017
Buchtitel: Proceedings of the 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
Veranstaltungsort: Atlanta, Georgia, USA
Kurzbeschreibung (Abstract):

Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors’ cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private infor mation and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on the devices we analyze. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.

Freie Schlagworte: Solutions;S1;S2
ID-Nummer: TUD-CS-2017-0187
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Systemsicherheit
DFG-Sonderforschungsbereiche (inkl. Transregio)
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche
Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen
Hinterlegungsdatum: 18 Jul 2017 11:22
Letzte Änderung: 02 Jul 2021 09:56
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen