Anatomy of a Vulnerable Fitness Tracking System: Dissecting the Fitbit Cloud, App, and Firmware

Funding: This work has been co-funded by the DFG as part of projects S1 within the CRC 1119 CROSSING and C.1 within the RTG 2050 ”Privacy and Trust for Mobile Users”, and by the BMBF within CRISP. Paul Patras has been partially supported by the Scottish Informatics and Computer Science Alliance (SICSA) through a PECE grant.Fitbit fitness trackers record sensitive personal information, including daily step counts, heart rate profiles, and locations visited. By design, these devices gather and upload activity data to a cloud service, which provides aggregate statistics to mobile app users. The same principles govern numerous other Internet-of-Things (IoT) services that target different applications. As a market leader, Fitbit has developed perhaps the most secure wearables architecture that guards communication with end-to-end encryption. In this paper, we analyze the complete Fitbit ecosystem and, despite the brand's continuous efforts to harden its products, we demonstrate a series of vulnerabilities with potentially severe implications to user privacy and device security. We employ a repertoire of techniques encompassing protocol analysis, software decompiling, and both static and dynamic embedded code analysis, to reverse engineer previously undocumented communication semantics, the official smartphone app, and the tracker firmware. Through this interplay and in-depth analysis, we reveal how attackers can exploit the Fitbit protocol to extract private information from victims without leaving a trace, and wirelessly flash malware without user consent. We demonstrate that users can tamper with both the app and firmware to selfishly manipulate records or circumvent Fitbit's walled garden business model, making the case for an independent, user-controlled, and more secure ecosystem. Finally, based on the insights gained, we make specific design recommendations that not only can mitigate the identified vulnerabilities, but are also broadly applicable to securing future wearable system architectures.PostprintPeer reviewe

Cloud computing and context-awareness: A study of the adapted user experience

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.Today, mobile technology is part of everyday life and activities and the mobile ecosystems are blossoming, with smartphones and tablets being the major growth drivers. The mobile phones are no longer just another device, we rely on their capabilities in work and in private. We look to our mobile phones for timely and updated information and we rely on this being provided any time of any day at any place. Nevertheless, no matter how much you trust and love your mobile phone the quality of the information and the user experience is directly associated with the sources and presentation of information. In this perspective, our activities, interactions and preferences help shape the quality of service, content and products we use. Context-aware systems use such information about end-users as input mechanisms for producing applications based on mobile, location, social, cloud and customized content services. This represents new possibilities for extracting aggregated user-centric information and includes novel sources for context-aware applications. Accordingly, a Design Research based approach has been taken to further investigate the creation, presentation and tailoring of user-centric information. Through user evaluated experiments findings show how multi-dimensional context-aware information can be used to create adaptive solutions tailoring the user experience to the users’ needs. Research findings in this work; highlight possible architectures for integration of cloud computing services in a heterogeneous mobile environment in future context-aware solutions. When it comes to combining context-aware results from local computations with those of cloud based services, the results provide findings that give users tailored and adapted experiences based on the collective efforts of the two

Robust access control framework for mobile cloud computing network

Unified communications has enabled seamless data sharing between multiple devices running on various platforms. Traditionally, organizations use local servers to store data and employees access the data using desktops with predefined security policies. In the era of unified communications, employees exploit the advantages of smart devices and 4G wireless technology to access the data from anywhere and anytime. Security protocols such as access control designed for traditional setup are not sufficient when integrating mobile devices with organization’s internal network. Within this context, we exploit the features of smart devices to enhance the security of the traditional access control technique. Dynamic attributes in smart devices such as unlock failures, application usage, location and proximity of devices can be used to determine the risk level of an end-user. In this paper, we seamlessly incorporate the dynamic attributes to the conventional access control scheme. Inclusion of dynamic attributes provides an additional layer of security to the conventional access control. We demonstrate that the efficiency of the proposed algorithm is comparable to the efficiency of the conventional schemes