# Breaking Fitness Records without Moving: Reverse Engineering and   Spoofing Fitbit

**Authors:** Hossein Fereidooni, Jiska Classen, Tom Spink, Paul Patras, Markus, Miettinen, Ahmad-Reza Sadeghi, Matthias Hollick, and Mauro Conti

arXiv: 1706.09165 · 2017-06-29

## TL;DR

This paper analyzes Fitbit fitness trackers' security, revealing vulnerabilities that allow falsifying activity data and bypassing encryption, which could be exploited for financial gain.

## Contribution

It provides a detailed reverse engineering of Fitbit's synchronization protocol and uncovers hardware attack vectors enabling data spoofing and protocol circumvention.

## Key findings

- Falsified activity reports can be injected at scale.
- Hardware attacks can bypass encryption protections.
- Security vulnerabilities enable financial exploitation.

## Abstract

Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors' cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private information and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on the devices we analyze. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1706.09165/full.md

## Figures

12 figures with captions in the complete paper: https://tomesphere.com/paper/1706.09165/full.md

## References

21 references — full list in the complete paper: https://tomesphere.com/paper/1706.09165/full.md

---
Source: https://tomesphere.com/paper/1706.09165