Anatomy of a Vulnerable Fitness Tracking System: Dissecting the Fitbit Cloud, App, and Firmware

Funding: This work has been co-funded by the DFG as part of projects S1 within the CRC 1119 CROSSING and C.1 within the RTG 2050 ”Privacy and Trust for Mobile Users”, and by the BMBF within CRISP. Paul Patras has been partially supported by the Scottish Informatics and Computer Science Alliance (SICSA) through a PECE grant.Fitbit fitness trackers record sensitive personal information, including daily step counts, heart rate profiles, and locations visited. By design, these devices gather and upload activity data to a cloud service, which provides aggregate statistics to mobile app users. The same principles govern numerous other Internet-of-Things (IoT) services that target different applications. As a market leader, Fitbit has developed perhaps the most secure wearables architecture that guards communication with end-to-end encryption. In this paper, we analyze the complete Fitbit ecosystem and, despite the brand's continuous efforts to harden its products, we demonstrate a series of vulnerabilities with potentially severe implications to user privacy and device security. We employ a repertoire of techniques encompassing protocol analysis, software decompiling, and both static and dynamic embedded code analysis, to reverse engineer previously undocumented communication semantics, the official smartphone app, and the tracker firmware. Through this interplay and in-depth analysis, we reveal how attackers can exploit the Fitbit protocol to extract private information from victims without leaving a trace, and wirelessly flash malware without user consent. We demonstrate that users can tamper with both the app and firmware to selfishly manipulate records or circumvent Fitbit's walled garden business model, making the case for an independent, user-controlled, and more secure ecosystem. Finally, based on the insights gained, we make specific design recommendations that not only can mitigate the identified vulnerabilities, but are also broadly applicable to securing future wearable system architectures.PostprintPeer reviewe

Fitbit Firmware Hacking

Norge eksporterte laks for 72,5 milliarder kroner i 2019 og i verdiskapning er laks den største og viktigste arten for Norge innen sjømat. Til sammenligning eksporterte Chile atlantisk laks for 32,8 milliard i 2019. En stor del av den norske eksporten går til EU-markedene, mens Chiles viktigste eksportmarked er USA. Formålet med denne oppgaven er å se om Chile har bedre markedsadgang inn til USA enn Norge med hovedfokus på atlantisk laks som eksportvare. Vilkår og eksportbarrierer Chile og Norge forholder seg til og hvilken innvirkning dette har på handel med USA belyses. Frihandelsavtalen mellom Chile og USA er en vesentlig faktor i denne oppgaven og har fått mye fokus. I tillegg er det lagt litt vekt på hva Norge kan gjøre for enda bedre markedsadgang i det amerikanske markedet. Problemstillingen besvares gjennom både kvalitative og kvantitative studier, hvor det er tatt utgangspunkt i eksisterende forskning og statistikk. Herav ulike artikler som omhandler markedsadgang og internasjonal handel, samt en dokumentanalyse av Frihandelsavtalen mellom Chile og USA. Verdens handelsorganisasjon (WTO) er sentral i internasjonal handel, og et dypdykk i deres historie og hva de vektlegger i når det gjelder handel presenteres. Resultatene som blir presentert drøftes i analysen sett i sammenheng med teori, eksportbarrierer og vilkår for handel. Det har vært nødvendig å begrense oppgaven til å omhandle eksport av et produkt og et marked, da det hadde blitt innviklet med et større omfang siden Chile og Norge er store eksportører av sjømat. Resultatet av analysen viser at toll og avgifter ikke påvirker handel inn til USA i stor grad. Det er andre faktorer som er årsaker til Chile sin dominans i det amerikanske markedet rundt eksport av atlantisk laks. Norge har en sterk posisjon i flere av dagens største markeder, men sammenlignet med Chile er markedsandelen i USA beskjeden

NFCGate - An NFC Relay Application for Android

Near Field Communication (NFC) is a technology widely used for security-critical applications like access control or payment systems. Many of these systems rely on the security assumption that the card has to be in close proximity to communicate with the reader. We developed NFCGate, an Android application capable of relaying NFC communication between card and reader using two rooted but otherwise unmodified Android phones. This enables us to increase the distance between card and reader, eavesdrop on, and even modify the exchanged data. The application should work for any system built on top of ISO 14443-3 that is not hardened against relay attacks, and was successfully tested with a popular contactless card payment system and an electronic passport document

Nexmon: Build Your Own Wi-Fi Testbeds With Low-Level MAC and PHY-Access Using Firmware Patches on Off-the-Shelf Mobile Devices

The most widespread Wi-Fi enabled devices are smartphones. They are mobile, close to people and available in large quantities, which makes them perfect candidates for real-world wireless testbeds. Unfortunately, most smartphones contain closed-source FullMAC Wi-Fi chips that hinder the modification of lower-layer Wi-Fi mechanisms and the implementation of new algorithms. To enable researchers' access to lower-layer frame processing and advanced physical-layer functionalities on Broadcom Wi-Fi chips, we developed the Nexmon firmware patching framework. It allows users to create firmware modifications for embedded ARM processors using C code and to change the behavior of Broadcom's real-time processor using Assembly. Currently, our framework supports five Broadcom chips available in smartphones and Raspberry Pis. Our example patches enable monitor mode, frame injection, handling of ioctls, ucode compression and flashpatches. In a simple ping offloading example, we demonstrate how handling pings in firmware reduces power consumption by up to 165 mW and is nine times faster than in the kernel on a Nexus 5. Using Nexmon, researchers can unleash the full capabilities of off-the-shelf Wi-Fi devices

The Nexmon firmware analysis and modification framework: Empowering researchers to enhance Wi-Fi devices

The most widespread Wi-Fi enabled devices are smartphones. They are mobile, close to people and available in large quantities, which makes them perfect candidates for real-world wireless testbeds. Unfortunately, most smartphones contain closed-source FullMAC Wi-Fi chips that hinder the modification of lower-layer Wi-Fi mechanisms and the implementation of new algorithms. To enable researchers’ access to lower-layer frame processing and advanced physical-layer functionalities on Broadcom Wi-Fi chips, we developed the Nexmon firmware patching framework. It allows users to create firmware modifications for embedded ARM processors using C code and to change the behaviour of Broadcom’s real-time processor using Assembly. Currently, our framework supports nine Broadcom chips available in smartphones and Raspberry Pis. Our example patches enable monitor mode, frame injection, handling of ioctls, ucode compression, flashpatches, software-defined radio capabilities, channel state information extraction and access to debugging features. To enhance firmware analysis, we present a debugger application that directly accesses the debugging core of the ARM microcontroller executing the Wi-Fi firmware. Additionally, we discuss how Wi-Fi chips can be protected from malicious firmware while still allowing researchers to run custom code. Using Nexmon, researchers can unleash the full capabilities of off-the-shelf Wi-Fi devices

DEMO: Using NexMon, the C-based WiFi firmware modification framework

FullMAC WiFi chips have the potential to realize modifications to WiFi implementations that exceed the limits of current standards or to realize the implementation of new standards, such as 802.11p, on off-the-shelve hardware. As a developer, one, however, needs access to the firmware source code to implement these modifications. In general, WiFi firmwares are closed source and do not allow any modifications. With our C-based programming framework, NexMon, we allow the extension of existing firmware of Broadcom's FullMAC WiFi chips. In this work, we demonstrate how to get started by running existing example projects and by creating a new project to transmit arbitrary frames with a Nexus 5 smartphone

NFCGate: An NFC Relay Application for Android

Near Field Communication (NFC) is a technology widely used for security-critical applications like access control or payment systems. Many of these systems rely on the security assumption that the card has to be in close proximity to communicate with the reader. We developed NFCGate, an Android application capable of relaying NFC communication between card and reader using two rooted but otherwise unmodified Android phones. This enables us to increase the distance between card and reader, eavesdrop on, and even modify the exchanged data. The application should work for any system built on top of ISO 14443-3 that is not hardened against relay attacks, and was successfully tested with a popular contactless card payment system and an electronic passport document