Post on 04-Jun-2020
Fitness Tracker: Hack In Progress
Axelle Apvrille - FortiGuard Labs, Fortinet
Hacktivity, October 2015
Meet Fitbit Flex
I Wireless activity + Sleep wristband
I Track steps, distance, calories
I Display progress with 5 LEDs
I Monitor how well you sleep
I Wake up alarm
I No altimeter, no GPS on Flex. Onlyon Charge or Surge.
Hacktivity 2015 - A. Apvrille 2/35
How to open the wristband
Hacktivity 2015 - A. Apvrille 3/35
Lightweight option :)
Thanks to my husband, Ludovic :)
Hacktivity 2015 - A. Apvrille 4/35
Semi-opened
Thanks to my husband, Ludovic :)
Hacktivity 2015 - A. Apvrille 5/35
Bluetooth antenna
Thanks to my husband, Ludovic :)
Hacktivity 2015 - A. Apvrille 6/35
NFC antenna
Thanks to my husband, Ludovic :)
Hacktivity 2015 - A. Apvrille 7/35
Motherboard
Thanks to my husband, Ludovic :)
Hacktivity 2015 - A. Apvrille 8/35
Quizz
How many fitness trackers sold in 2014?
I 10 million
I 40 million
I 70 million
Hacktivity 2015 - A. Apvrille 9/35
Quizz
How many fitness trackers sold in 2014?
I 10 million
I 40 million
I 70 million
Hacktivity 2015 - A. Apvrille 9/35
Hacking the tracker
“If I run on all fours, does this count for more steps?”
Hacktivity 2015 - A. Apvrille 10/35
Video
Fitness for the Lazy
Hacktivity 2015 - A. Apvrille 11/35
Other lazy alternatives to fitness
Images courtesy of Rahman et al. Fit and Vulnerable - 2013
Hacktivity 2015 - A. Apvrille 12/35
Recap’
I We can abuse steps
I We can abuse distance
I We can abuse calories, veryactive minutes...
Hacktivity 2015 - A. Apvrille 13/35
Recap’
I We can abuse steps
I We can abuse distance
I We can abuse calories, veryactive minutes...
Hacktivity 2015 - A. Apvrille 13/35
Recap’
I We can abuse steps
I We can abuse distance
I We can abuse calories, veryactive minutes...
Hacktivity 2015 - A. Apvrille 13/35
And running?
Acceleration on (x), (y) and (z) for walking and jogging
From Kwapisz, Weiss and Moore,“Activity Recognition using Cell Phone Accelerometers”,
SIGKDD 2011
Hacktivity 2015 - A. Apvrille 14/35
Sitting and standing patterns
Acceleration on (x), (y) and (z) for sitting and standing
From Kwapisz, Weiss and Moore,“Activity Recognition using Cell Phone Accelerometers”,
SIGKDD 2011
Hacktivity 2015 - A. Apvrille 15/35
Spying with an accelerometer
From Ravi, Dandekar, Mysore and Littman,“Activity Recognition from Accelerometer Data”, IAAI’05
Hacktivity 2015 - A. Apvrille 16/35
Why hack steps?
Earn undeserved badges
Affiliation points
Gift cards Discounts Pact - Bet
Hacktivity 2015 - A. Apvrille 17/35
Why hack steps?
Earn undeserved badges
Affiliation points
Gift cards Discounts Pact - Bet
Hacktivity 2015 - A. Apvrille 17/35
Why hack steps?
Earn undeserved badges
Affiliation points
Gift cards
Discounts Pact - Bet
Hacktivity 2015 - A. Apvrille 17/35
Why hack steps?
Earn undeserved badges
Affiliation points
Gift cards Discounts
Pact - Bet
Hacktivity 2015 - A. Apvrille 17/35
Why hack steps?
Earn undeserved badges
Affiliation points
Gift cards Discounts Pact - Bet
Hacktivity 2015 - A. Apvrille 17/35
Business
“April 13, 2015, Chicago, IL - higi, a leading cloud-basedconsumer engagement platform that provides trustedpartners with ways to more fully engage with theircommunities around health and wellness, announcedtoday the launching of its industry-leading,privacy-protected and secure API....The API will allow higi’s trusted partners, on a useropt-in basis only, to receive health outcomes and activitydata from participating users with a higi account.”
Source: Higi Blog - Press Releases
Hacktivity 2015 - A. Apvrille 18/35
Recap’
1. We can hack steps, distance etcwithout opening/compromisingthe tracker
2. An accelerometer trace providesmore information on youractivities than you’d think
3. Your fitness data is worthmoney for you, attackers andthe industry
Cyber-criminality fact: Moneymeans Threats
Hacktivity 2015 - A. Apvrille 19/35
Recap’
1. We can hack steps, distance etcwithout opening/compromisingthe tracker
2. An accelerometer trace providesmore information on youractivities than you’d think
3. Your fitness data is worthmoney for you, attackers andthe industry
Cyber-criminality fact: Moneymeans Threats
Hacktivity 2015 - A. Apvrille 19/35
Recap’
1. We can hack steps, distance etcwithout opening/compromisingthe tracker
2. An accelerometer trace providesmore information on youractivities than you’d think
3. Your fitness data is worthmoney for you, attackers andthe industry
Cyber-criminality fact: Moneymeans Threats
Hacktivity 2015 - A. Apvrille 19/35
Recap’
1. We can hack steps, distance etcwithout opening/compromisingthe tracker
2. An accelerometer trace providesmore information on youractivities than you’d think
3. Your fitness data is worthmoney for you, attackers andthe industry
Cyber-criminality fact: Moneymeans Threats
Hacktivity 2015 - A. Apvrille 19/35
Flex: Communication Protocols
Bluetooth Low Energy
HTTP(S)
Hacktivity 2015 - A. Apvrille 20/35
Flex: Communication Protocols
Bluetooth Low Energy HTTP(S)
Hacktivity 2015 - A. Apvrille 20/35
Talking to the Flex
Hello World!
Two USB interfaces
1. For the dongle
2. For the tracker
Demo
Wrote a Python utility to communicate with the dongle and thetracker
Hacktivity 2015 - A. Apvrille 21/35
Reverse engineering
Proprietary!
No technical user/ developer/ contributor documentationEverything has to be reverse engineered
AchievementsI 20 different commands for the dongle:
Get dongle information, disconnect, start discovery, canceldiscovery, establish link, toggle pipe...
I 24 different commands for the tracker:Echo, start transmission, display code, handle secret, alertuser...
I XML communication with the remote servers
Hacktivity 2015 - A. Apvrille 22/35
Reverse engineering
Proprietary!
No technical user/ developer/ contributor documentationEverything has to be reverse engineered
AchievementsI 20 different commands for the dongle:
Get dongle information, disconnect, start discovery, canceldiscovery, establish link, toggle pipe...
I 24 different commands for the tracker:Echo, start transmission, display code, handle secret, alertuser...
I XML communication with the remote servers
Hacktivity 2015 - A. Apvrille 22/35
How does it work?
Example: Get Dump
Dongle Tracker(s)
Get Dump RequestC0 10 ...
Start Dump ResponseC0 41 DumpType
The dump
The dump
End Dump ResponseC0 42 dump type, dump size...
https://github.com/cryptax/fittools
Hacktivity 2015 - A. Apvrille 23/35
Recap’ - Achievements
1. Get information, status from thedongle
2. Discover trackers nearby
3. Get data to synchronize fromthe tracker
4. Light LEDs of the tracker
Anything better?
Hacktivity 2015 - A. Apvrille 24/35
Satisfaction form
http://ftnt.net/1iKyoNn
Hacktivity 2015 - A. Apvrille 25/35
Question
Can the tracker get infected?
Can it propagate infection to otherdevices?
Hacktivity 2015 - A. Apvrille 26/35
Scenario: Fitness Tracker as an Infection Vector
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptop
DISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hacktivity 2015 - A. Apvrille 27/35
Scenario: Fitness Tracker as an Infection Vector
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptop
DISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hacktivity 2015 - A. Apvrille 27/35
Scenario: Fitness Tracker as an Infection Vector
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptopDISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hacktivity 2015 - A. Apvrille 27/35
Scenario: Fitness Tracker as an Infection Vector
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptopDISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hacktivity 2015 - A. Apvrille 27/35
Scenario: Fitness Tracker as an Infection Vector
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptopDISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hacktivity 2015 - A. Apvrille 27/35
Code inject and infect video
Hacktivity 2015 - A. Apvrille 28/35
Tracker Infection: Limitations
1. It’s a PoC: no maliciouspayload!
2. Max 17 bytes. Is that enough?
I Yes. Crash Pentium Trojan(2004): 4 bytes
I Mini DOS virus (1991): 13bytes
I Not enough for an advancedbotnet though ;)
3. Execute/Deliver code on target:we did not handle this!
4. Fitbit patches
Hacktivity 2015 - A. Apvrille 29/35
Tracker Infection: Limitations
1. It’s a PoC: no maliciouspayload!
2. Max 17 bytes. Is that enough?
I Yes. Crash Pentium Trojan(2004): 4 bytes
I Mini DOS virus (1991): 13bytes
I Not enough for an advancedbotnet though ;)
3. Execute/Deliver code on target:we did not handle this!
4. Fitbit patches
Hacktivity 2015 - A. Apvrille 29/35
Tracker Infection: Limitations
1. It’s a PoC: no maliciouspayload!
2. Max 17 bytes. Is that enough?
I Yes. Crash Pentium Trojan(2004): 4 bytes
I Mini DOS virus (1991): 13bytes
I Not enough for an advancedbotnet though ;)
3. Execute/Deliver code on target:we did not handle this!
4. Fitbit patches
Hacktivity 2015 - A. Apvrille 29/35
Tracker Infection: Limitations
1. It’s a PoC: no maliciouspayload!
2. Max 17 bytes. Is that enough?
I Yes. Crash Pentium Trojan(2004): 4 bytes
I Mini DOS virus (1991): 13bytes
I Not enough for an advancedbotnet though ;)
3. Execute/Deliver code on target:we did not handle this!
4. Fitbit patches
Hacktivity 2015 - A. Apvrille 29/35
Let’s have fun with our tracker
45 A0 7B 21
We always lack sources of entropy, don’t we?
Hacktivity 2015 - A. Apvrille 30/35
Implementing a Tracker RNG
Dongle Tracker(s)
Client ChallengeC0 50 LocalRandom
Auth Chal RespC0 51 TrackerChallenge SeqNum
Response to ChallengeC0 52 ComputedMAC ...
I Send a dummy local random (C0 50)
I Wait for tracker’s response: 8-byte challenge
I Never send last message (C0 52)
Hacktivity 2015 - A. Apvrille 31/35
Fitbit RNG
Demo
Getting random bytes
$ python rndflex.py -b 256
e3 57 5a d0 00 14 4a b2
25 d3 91 0b 21 5b c1 e4
fd 9e c9 8d e8 c4 9e 90
76 ba 01 1f ba 56 95 19
...
Hacktivity 2015 - A. Apvrille 32/35
Is it a good RNG?
Description Entropy Chi-square
Mean Monte-Carlo Pierror
Dieharderfailedtests
Target 8 10-90%
127.5 0% 0
Victor Hugo 4.6 0.01% 99 27% 2 weakLinux PRNG/dev/urandom
8 75% 127 0.57% 0
AES ciphertext 8 50% 128 0.50%Fitbit tracker 8 75% 127 0.36% 3 weakRadioactive de-cay events
41% 0.06%
Hacktivity 2015 - A. Apvrille 33/35
That’s all folks!
Keep it in mind
I It’s easy to fool step & distance count
I Display Code makes the flex LEDsblink
I Sync data is encrypted on the tracker
I Inject 17 bytes on the tracker
I Use your tracker as a hardware RNG
Hacktivity 2015 - A. Apvrille 34/35
That’s all folks!
Keep it in mind
I It’s easy to fool step & distance count
I Display Code makes the flex LEDsblink
I Sync data is encrypted on the tracker
I Inject 17 bytes on the tracker
I Use your tracker as a hardware RNG
Hacktivity 2015 - A. Apvrille 34/35
That’s all folks!
Keep it in mind
I It’s easy to fool step & distance count
I Display Code makes the flex LEDsblink
I Sync data is encrypted on the tracker
I Inject 17 bytes on the tracker
I Use your tracker as a hardware RNG
Hacktivity 2015 - A. Apvrille 34/35
That’s all folks!
Keep it in mind
I It’s easy to fool step & distance count
I Display Code makes the flex LEDsblink
I Sync data is encrypted on the tracker
I Inject 17 bytes on the tracker
I Use your tracker as a hardware RNG
Hacktivity 2015 - A. Apvrille 34/35
That’s all folks!
Keep it in mind
I It’s easy to fool step & distance count
I Display Code makes the flex LEDsblink
I Sync data is encrypted on the tracker
I Inject 17 bytes on the tracker
I Use your tracker as a hardware RNG
Hacktivity 2015 - A. Apvrille 34/35
Thanks for your attention!
Contact info
@cryptax or aapvrille (at) fortinet (dot) com
Interesting links
I Galileo - https://bitbucket.org/benallard/galileo
I Fitbit Flex Teardown.http://ifixit.org/blog/5042/fitbit-flex-teardown/
I My Fitbit tools repository on GitHub
I Link to satisfaction form: http://ftnt.net/1iKyoNn
Hacktivity 2015 - A. Apvrille 35/35