Fitness Tracker: Hack in Progress
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Part Number | 2 | |
| Number of Parts | 29 | |
| Author | ||
| License | CC Attribution 3.0 Germany: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/18832 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
Hacktivity 20152 / 29
1
4
6
17
00:00
Fitness functionHacker (term)Length of stayElectronic visual displayBitCurve fittingMoving averageOpen setMotherboardMetropolitan area networkCountingVideoconferencingMotherboardProcess (computing)Right angleVideoconferencingSlide rulePointer (computer programming)ArmCartesian coordinate systemMultiplication signSpacetimeMereologyTelecommunicationVibrationFitness functionBitNP-hardInformation securityLogicArithmetic progressionInstance (computer science)Presentation of a groupHacker (term)HoaxCountingData miningStatisticsModal logicElectronic visual displayNetwork topologyWordMicroelectronicsBit rateRoutingDivisorDependent and independent variablesInternetworkingChainLevel (video gaming)
06:39
Hacker (term)Fitness functionMetropolitan area networkTrailEmailBitCurve fittingMaxima and minimaGamma functionWeb pageSlide ruleHand fanWindowOffice suiteCellular automaton2 (number)Constraint (mathematics)SynchronizationComputer animation
08:20
Fitness functionVideoconferencingHacker (term)Computer-generated imageryPort scannerMoore's lawMathematical singularityCellular automatonMaxima and minimaMetropolitan area networkOpen setBasis <Mathematik>InformationInstance (computer science)Suite (music)DistanceReal numberBitFitness functionDiscounts and allowancesPattern languageNormal (geometry)VacuumCartesian coordinate systemPlotterFood energyInformation securityInformation privacyCurveHacker (term)MetreRight angleMereologyTrailPoint (geometry)SoftwarePlastikkarte1 (number)Computer programmingStrategy gameSeries (mathematics)Cheat <Computerspiel>Limit (category theory)AreaHand fanPatch (Unix)Logic gateStapeldateiWordCASE <Informatik>Row (database)Power (physics)Cellular automatonSound effectComputer animationLecture/Conference
15:13
Binary fileUtility softwareSoftware protection dongleHacker (term)Demo (music)Interface (computing)Metropolitan area networkMaxima and minimaAngleInformationExt functorValue-added networkSummierbarkeitFitness functionGradientLine (geometry)Mach's principleCodeElectronic visual displayIntegrated development environmentData Encryption StandardHexagonCurve fittingDiscrete element methodAddress spaceRevision controlStaff (military)LaptopMultiplication signPrice indexSynchronizationMessage passingNeuroinformatikRow (database)ResultantSoftware protection dongleBitFitness functionSoftware testingSequenceNumberRippingDivisorRight angleEndliche Modelltheorie2 (number)Point (geometry)Utility software1 (number)Natural languageEmailSlide ruleInstance (computer science)Selectivity (electronic)Data miningSmartphoneEncryptionKey (cryptography)Service (economics)Lecture/Conference
22:07
Reverse engineeringFitness functionSoftware protection dongleDifferent (Kate Ryan album)Hacker (term)Server (computing)InformationData transmissionCodeElectronic visual displayData typeDependent and independent variablesPointer (computer programming)Metropolitan area networkForm (programming)LaptopDiscrete element methodMaxima and minimaTrailHasse diagramValue-added networkArmForm (programming)Price indexServer (computing)CASE <Informatik>IdentifiabilityLaptopHacker (term)Message passingVideoconferencingDependent and independent variablesInstance (computer science)Utility softwareBitComputer wormSoftware protection dongleMalwareMultiplication signRight angleVulnerability (computing)MereologyPropagatorMedical imagingProof theoryScaling (geometry)Data managementReal numberTelecommunicationInformationPoint (geometry)Boss CorporationType theoryHash functionCore dumpAttractorTrailSource codeInjektivitätCommunications protocolString (computer science)DivisorLinear subspaceCodeMathematical analysisLecture/ConferenceComputer animation
29:53
Fitness functionLaptopCrash (computing)Discrete element methodHacker (term)Maxima and minimaDensity of statesCodeBitCurve fittingDependent and independent variablesClient (computing)Message passingRing (mathematics)Metropolitan area networkSummierbarkeitHexagonVoltmeterArithmetic logic unitInformationDuality (mathematics)Proof theoryNumberCellular automatonRandom number generationSource codeServer (computing)RandomizationRight angleTrailString (computer science)Link (knot theory)Limit (category theory)System callMessage passingLikelihood functionCrash (computing)DivisorBitLaptopSmartphoneMereologySlide ruleStack (abstract data type)VideoconferencingMedical imagingAttractorDependent and independent variablesSoftware protection dongleNeuroinformatikSocial classComputer wormLogic gateMalwareData miningTrojanisches Pferd <Informatik>Entropie <Informationstheorie>Goodness of fitCryptographyComputer animation
35:02
Software protection dongleDependent and independent variablesMathematicsClient (computing)Ring (mathematics)Metropolitan area networkChi-squared distributionSquare numberEvent horizonHacker (term)Fitness functionCountingMaxima and minimaCodeElectronic visual displayInclusion mapInformationLink (knot theory)Game theoryCurve fittingBitForm (programming)SummierbarkeitExecutive information systemPointer (computer programming)BitLink (knot theory)CountingServer (computing)Real numberResultantPhysical systemStandard deviationPhysicalismFunction (mathematics)DistanceInstance (computer science)Multiplication signSynchronizationEvent horizonSoftware testingEncryptionIdeal (ethics)Random number generationNational Institute of Standards and TechnologySource codeDifferent (Kate Ryan album)Entropie <Informationstheorie>Computer hardwareSmartphoneSequencePatch (Unix)MeasurementComputer architectureGoodness of fitFirmwareSoftwareInformation securityKey (cryptography)LaptopMessage passingTouchscreenType theoryEmailLatent heatSoftware bugCiphertextCryptographyCellular automatonTrailCASE <Informatik>Keyboard shortcut3 (number)Right angleAlgorithmRandomizationComputer animation
Transcript: English(auto-generated)
00:00
So thanks everybody. We'll start straight away. So what is this? It's easy. It's a fitness tracker. Okay. It's the one there on on the slides It's not a bama's. Okay. It's mine. Well, it's the one I'm hacking and
00:21
Well, if you haven't got one and you don't know what those are for basically it will it's a tracker the sports tracker So it will tell you how many steps you've been walking It also acts as a sleep wristbands, that's what they advertise it as so it'll tell you if
00:41
the quality of your sleep is good if you've got an efficient sleep or not, okay, and The display this is really the entry-level sports wristband at Fitbit It has only five leads there just at the top there
01:02
They act like kind of a progress bar So that you know how far you are from your next goal. Like I don't know my next goal is to walk 5,000 steps in a in a day or 10,000 steps something like that Can blink some other but only the leads are like meant to be meaningful for somebody
01:24
It can also vibrate So you can wake up in the morning with it if you want or wake up just in time to get to my talk And on this one you have no altimeter So if you're hiking on top of the Everest or whatever, well, it doesn't know
01:42
It has no GPS Those are only on the higher higher modals of fitness trackers So actually you see it's really like, you know a plastic Plastic stuff there and if you open it up
02:00
this is where you get to the small plastic enclosure there and That's where you've got all the logics the electronics and everything that tells you how many steps I'm walking during the presentation for instance right and Then I tried to open it. I
02:25
Then my husband came in and he was frightened to see me with that so he decided he'd do the job he took that like enormous cutter and I was frightened for his fingers and We tried to open it as you can see it's pretty tough because it's a very small enclosure
02:48
It's plastic is quite solid It's difficult to rip through and then once you've ripped through it's very difficult nuts to break what is inside Because what is inside is very fragile
03:01
Well You can see there I'll move the pointer. It's there right, that's the Bluetooth antenna and here you can see on the well the red part there, it's the NFC antenna and And there if you have good eyes this this is the NFC chip right so in the end
03:29
We managed to open it without breaking the motherboard well nearly without breaking it, and that's pretty good because some other guys Of I fix it and 360 electronics
03:43
Had tried and they had broken the motherboard so the the Fitbit was no longer Responding here what we broke you can see it whoops. That's next time is there It's the pewlet so probably it won't be blinking anymore, but at least it should be still working
04:01
And there you can see this is the main chip, so it's an ST and Microelectronics chip with an arm cortex m3 if I'm correct on there. You've also got a real-time clock there this Is the three axle
04:20
Accelerometer okay, so this is what measures the acceleration on three axis This is the Bluetooth chip This is for charging and Then on the other side well you've got you haven't got that much space because the battery Here takes quite a lot of space of course, and you've got the vibrator
04:45
Right So then this is a quiz just you This is all for that the hard way part. Do you have an idea how many trackers have been sold? all trackers
05:00
Combined not only Fitbit so 10 million 40 million 70 million Hands up for 10 million 40 million A bit more 70 million I Didn't count it looks like it's between 40 million and 70 million according to you well It's 70 million well according to stats right and it looks like it's growing, so it's it's really
05:27
massive Those are world wars plus stats And of course well we're in a security conference and hacking conference, so The question we have on our minds is well. Can we get it to register?
05:45
Fake steps for instance so that crocodile is suggesting well if I walk on four legs Will it count for more steps or something like that? That's what we're gonna. Have a look at so we're gonna have a video for that
06:03
but basically I tried to have it register some fake steps and I'm lazy like it happens for quite a few hackers, and I thought okay. I'd like it to register The steps while I'm just sitting at my desk and working
06:20
That would be cool, and that's what I did. I need my glasses
06:46
So here we are first synchronizing The the tracker that's like kind of the geeky way I'd say to to synchronize it of course if you are on windows or something like that. There's a
07:01
An easier way to do it, but still it works as synchronized And I have a look at at the beginning how many steps I had that day 38 steps not very much right and then I attach it to a fan
07:21
Yeah, that's the you could it's a very small fan like five euros something like that, and that's at my office and That's lazy walking there. We go and then we're gonna
07:41
Try and synchronize it again and see how many steps I've been doing that you know I've been walking very much haven't I? refresh the page 105 steps still on my chair So that was
08:00
67 steps in 45 seconds, that's something like three kilometers an hour It's not like you know I'm Really walking very fast, but it's better than nothing especially when I'm just sitting on on my chair I go back to slides
08:22
now When it comes to being lazy to be honest I'm really not the the worst on that kind there were some other researchers look what they did They attached it to the wheel of their car. That's really great
08:41
and the Well, they they ran their car like for ten minutes not too fast look and they registered It was something like a little bit over 1,000 steps that way which is not Same thing not so fast like it was maybe four kilometers an hour or a little bit more
09:01
Probably they didn't want to drive too fast and lose their tracker I don't know exactly how they set it up, but that's another possibility I could put it on my car and now be very fit that way without actually walking So well
09:23
You've seen it we can abuse steps because of that and because distance is only steps multiplied by the walking strides we can We can also abuse distance and of course we can abuse the calories and the very active minutes
09:43
Which are displayed on our Fitbit account okay? Because they all just depend at the beginning on what's the tracker registers as steps Now what about running? Well it turns out that many people did
10:01
Research on those accelerometers, and how it was measured and with an accelerometer Well, we can work out pretty a lots of things for instance. We have here the various curves for when we're walking and Those there when we're jogging
10:21
Basically you see higher peaks when you're jogging because you kind of put more acceleration Well not me because I'm a very bad jogger okay, but normal people it would look like that probably You also have some other patterns for somebody sitting down Standing up when you're standing up right you get up, so you have
10:46
High acceleration on the vertical axis and the vertical axis is on that plot is the y-axis That's why you have that one there Can even do better you can actually tell workouts
11:01
What you are doing, so you've got I've got here patterns for when you're vacuuming When you're brushing your teeth right so with all of that with only a natural meter Getting the tracks on the three axis of course I can tell if you're walking if you're running
11:24
But I can also tell if you're brushing your teeth that's cool, so why would we be doing that okay? It's cool to attach one's One's tracker to a fan, but it's maybe kind of a little bit useless well the goal behind it at least for
11:45
An attacker or is somebody who wants to get something out of it is to earn those undeserved badges It's the way I will be able to earn my 5,000 steps badge my 10,000 steps badge or something like that and with that
12:02
You can affiliate to various programs From various companies which will give you kind of points that you can redeem For various gifts like a gift card a $50 gift card that that happens You can get some special discounts for sneakers sports suit whatever and
12:24
There are plenty of other things that you can get from those there's for instance a gambling solution for instance It's a company called packed well They say you you kind of affiliate your tracker to them, and then you say okay this morning or today
12:42
I'm gonna walk 10,000 steps that's my bet and you place some money if You only do like 9,000 well You lose your bet you lose your money and your money goes to the other people Who won their bet if you win your bet you get your Monday plus a little bit of all the?
13:04
The money that the others who lost their bet okay, so you can get some kind of real money out of just Cheating and getting those undeserved badges So that's kind of a motivation for attackers
13:22
Of course there's also money for business well That's pretty obvious, but all those affiliation companies Which gets the data from your fitness trackers well they make money out of it here we have Higgy which is a company who?
13:41
Affiliates with Fitbit trackers, and they say they said well. We are launching our industry-leading privacy protected of course and secure API and with that Trusted partners on an opt-in basic only to receive health outcomes
14:02
activity data from participating users right okay So there's money for everyone there To recap you can add steps distance everything With an accelerometer we can do actually more than
14:23
Hacking and tracking steps we can even know if you're brushing your teeth or vacuum vacuum in your house And there's money for everybody there The legitimate owner of the tracker and attacker and also the industry
14:43
And when there's money That's the fact we know there's also. There's always threats behind it So now we're going to investigate and investigate a little bit more the software part of that
15:00
This tracker there It only knows Bluetooth Right well it also knows NFC, but I haven't got any any NFC device, so I haven't tried with that, but It talks with bluetooth, so if you want to synchronize your data you have at some points you have either like
15:20
the dongle this one blue USB dongle or a smartphone that knows bluetooth low-energy and this those device will kind of relay Your synchronized data to the Fitbit service at the other end
15:42
So then what I wanted to do is just to put myself on my laptop and From the laptop here to the fitness tracker I just want to be able to talk to it to send messages To receive messages from it and learn from that to start hacking it
16:02
so I wrote a small Python utility to do that and To write to it. It's pretty easy because actually you just have to send USB messages To the right endpoints. There's one endpoint for the dongle right there and another endpoint for the tracker
16:20
So you send a USB message to the endpoint to the tracker and actually after after that it goes like the tooth To the tracker right there so we're gonna try Try the tool so
16:46
There it is It's not very fancy as you will see but it works Well, I shouldn't say that before I try First thing I have to well and claim the dongle
17:02
So that I can register it with my own stuff, and then well we can get some information like on the dongle To it gets up there that's the Version of my dongle and it's Mac address, okay
17:24
Then I'm gonna detect Trackers in the room well if some of you have trackers in the front rows. They will probably be detected as well So all messages with the tracker are always oh yeah, there's plenty of trackers
17:47
So so so at least those
18:12
There's another one there. I think mine is the first one is this one the other three. I don't know
18:23
The the RSSE that means like I Forgot signal strength or forgot the R But the higher it is the closer it is to my USD dongle so that that's quite logical I have the first one is mine. It's close to that and then the other ones are like features that those
18:43
trackers have right so now I'm gonna have to select the tracker. I want to talk with mm-hmm, so which one now
19:00
Aha some of you have put it off with yours off, and I can't see mine any longer. What's that? Whoo cool try that well, it's a very good test because actually yet
19:34
At work, I only tried with one dongle because the other one as you can see I ripped it off
19:40
So There it goes. I'm gonna select mine, and now what can I do well I can for instance I can tie this So Now you probably won't see it, but this one has the LEDs blink I'll show you when it there it is
20:01
I'm not sure you can see it, but there's a few LEDs blinking on my device there The other thing we can do we always have to reset it It's I'm sorry it's all of this stuff is a little bit painful, but otherwise it just says timeout all the time
20:20
we can get its Data, so I have to select again my tracker. I believe and we'll try and synchronize the data So mine this time is the second number two and gets tracker data
20:57
So there it is
21:03
So yeah, that's encrypted Encrypted data of all the steps. I've been walking. There's pretty much pretty a lot this time Of course I went a bit too far and At the beginning what's interesting is that I managed to reverse the at least the header
21:24
so I know that I am synchronizing with a flex and That it's well version 2 we don't really care that there's a sequence counter at the beginning and this is basically like a modal indicator of
21:41
Which kind of flex which version number there is and then you've got the encrypt encrypted blob which is encrypted with keys from Fitbit which Contains all the steps and all the activity I've been doing so that's all let's go back to the slides
22:10
So all of these messages that you saw that I can send With that kind of small tool well I had to reverse everything manually because there's no kind of hackers the documentation of course for those device
22:23
So it was pretty long of course I managed to reverse like 20 messages for the dongle. They have a different type and then 24 messages for the tracker with a different type, and then there's the communication with
22:41
The server in itself the Fitbit servers this is done through HTTP or HTTPS With an XML communication protocol, and this is pretty easy to reverse because you just have to like Wire shark or sniff the network traffic and see how it's working, but this isn't really difficult there
23:02
So we'll just have a glimpse at What? Tracker packets look like okay Won't be going in the details of the 24 packets of course What happens is that all packets that you sent you sent to the tracker?
23:22
They always start by C 0 that's the indicator for this is a tracker packet Then you've got the command identifier and 10 in that case it means get stumped requests Which means I would like to get the data to synchronize right? The tracker receives that and will start and respond by okay
23:44
I'm gonna start and send you my data, but first it just ends So this is command identifier 41 start out a dump response Then it sends the dump. That's the encrypted blob that you saw on the utility and
24:02
Then at the end it sends another packet to say okay Finished and you've got also the the dump size so that can be sure that you haven't been missing a packet for instance There is also a C or C at some point, but I haven't seen any hash for instance
24:20
There we go Okay, so we can do plenty of things we can get the information of the dongle we can we can see how many trackers They are nearby if you want to come later on and try to synchronize with my tool Do come and see me afterwards
24:42
We can have the LEDs there blink That's great now just imagine if I tell my My management's hey, you know it's great. I've been working like for three months and I'm able to get a few new LEDs blink and Well, we can do it with the standard tool, but here I can do it with my own tool
25:05
I'm not sure they'd be impressed right, so we'll try and do a little bit more than that actually Actually when it comes to satisfying management It would be helpful actually if you man if you could fill in this satisfy
25:21
Satisfaction form it's really very easy. You've got like Scale zero very bad five excellent be sure that if you put zero I'll trash it and If you can generate like 1999 instead of five that would be interesting for me as well, right
25:41
So yeah the real question I'd say my Management would be interested in is rather Well can this tracker get infected? Okay, I don't know if you know I'm working with fortunate, and I'm a malware analyst there, okay So this is really what my boss will be interested in
26:03
Or if it can't be really infected, or if it can is it able to propagate the malware to other devices So we worked out an Infection scenario there we have an attacker
26:22
Who sends some malicious code? to the tracker the tracker gets infected right and then Next time while the the attacker can go away the victim is going to
26:40
Discover at some time at some point is going to discover the tracker it for instance if he wants to know to synchronize it or something like that and What's interesting there is that we manage to get all responses from the tracker also? Contain that's malicious code
27:02
Right so from now on whenever the infected tracker is Queried for something well it will always answer some packets plus the malicious code and then Well of course on the victim's laptop you can imagine plenty of nasty things that this malicious
27:25
Payload will deliver Like crash the laptop propagate to another device something like that So I will show you a video of that because
27:47
So it's this one, so it's really yeah before I started. It's really like of a hackers proof of concept
28:01
It's not very visual I'm sorry about that It's where is it Start back so there it's starting and I'm going to inject to the tracker some
28:26
Image in it's a malicious code, but it's not for the demonstration purposes I'm just injecting the string hack your flex right and then each time I
28:41
Send a command to my tracker you can see below There that it is always answering the right packet, but also hack your flex which is Which could be the malicious code? Then I decided okay, I send plenty of messages, and there's always hack your flex there
29:02
What happens if I really totally? Reset my tracker can I still? See that Injected code, so yeah hundred percent for this part and then now we do a complete reset and
29:26
We lose a few bytes there, okay? still recovering like most of it Which is what we're interested in so we can perhaps put actually the?
29:40
The injected bytes a little bit further on so that we're not losing them, so this is possible because of a vulnerability on the tracker Which has been of course disclosed to fitbits and which they said they will be patching very soon
30:04
So I won't be disclosing yeah exactly how it's being done But still in that video you can see that there are a few limitations First of course it's a proof of concept There was no real malicious code only just a string being sent and that we see
30:21
coming back in all packets afterwards The other limitation I have is that with this technique I am only able to inject at most 17 bytes 17 bytes that's not that's not a lot right it would be a bit short for a full fledged
30:43
Butnet of course, but still I think it's still valuable because if you are old enough to recall like the crash pan a Pentium Trojan in 2004 well it was only four bytes you received those four bytes on your computer And it would crash crash it completely so 17 bytes
31:05
Is really far more than that? The other limitation that we have for now is that I haven't been working on the way to actually Execute or deliver the payload on the host so on the victim
31:21
It receives the packet the infected packet, but it still has to infected To infect the laptop or do something on it this means like exploiting perhaps the USB stack or exploiting the Bluetooth stacks things like that that's for some other parts of research to be done there
31:41
And of course then the other limit of course is that Fitbit will be patching so this won't be possible anyway in a few months probably Now some other things we can do with the tracker there That's like Imogen I don't know you don't want to use your tracker any longer
32:03
for sports and You want to do something else with it or imagine that I don't know the Fitbit servers are down And you don't know what to do with this tracker any longer Well, we can use it as a source of entropy So that's perhaps because I like cryptography so
32:22
Thought well, you know we're always liking a good source of entropy. How about using this tracker there? The way we do it again is just having a look at the various messages That we can send to the tracker There is one message
32:40
which is called like authenticating the The tracker which is meant to set a bond between the smartphone and the tracker and for that Well the dongle or the smartphone is going to sense a challenge the tracker
33:02
Responds the other way with his own challenge And then the dongle is meant to compute a match out of those to chat those two random numbers numbers and That way we tend to gate towards the tracker Now if we just want a random number generator
33:22
We are just interested in the second packet this one the 51 To get that one we just sent like a very dummy first one the 50 We don't care. We don't have to generate a local random number. We'll just send all with the same one and then
33:41
We read the random number that the tracker sense sense us, and we use that as a source of randomness Let's try that
34:09
Yeah, I have plenty of trackers
34:24
Mine is number three, but actually I could have your trackers work as well and Rng that is to get random numbers So the first Few bytes first eight bytes to get are a bit slow because has to establish the bluetooth link
34:46
To the tracker and then it goes I wouldn't call that fast, but fast enough to get some some random numbers there Okay, so those are the random numbers that it generates
35:04
Now I'm sure that you wonder well, okay Those are they look random, but are they really random that's really a good question, right? So well I tested them and I tested them With the batteries of tests which are you know recommended by the NIST for their own?
35:24
the random number generators that they want to kind of test so There's a tool called ends which regroup all those first tests the key square test the mean test and the Monte Carlo p test and
35:42
Then there's another batteries of tests which is called d harder There and in an ideal world okay, that's what we are targeting We would have a random number with generator with those values there, right you never get this of course because the ideal world is never perfect and
36:04
That's What we get for our tracker with my system there and what we see I've compared it with some other sources of entropy So Victor you go This is French literature just to see how bad it goes when something is not random the difference
36:26
Sypher text here well cipher text is meant to be pretty much random at the end when it's you know encrypted so it's also a good way to test to to see how a good random output would be and then you've got some physical events like
36:42
radioactive decay is as well to compare with and Well the results are a bit difficult to assess because there's no like real excellent Random number generator, but it looks okay I mean it doesn't look really worse that what we'd have stand standards on the Linux systems for instance
37:07
So perhaps I would not be using it for a cryptography, but it's not too bad So yeah, that's all so just to recap well. We are able to fool steps and distance count
37:25
We can have our LEDs blink That's great. I like it personally but we can also have worse we can see that the synchronizing synchronization data that go to the the Fitbit servers are encrypted and
37:41
I'll be working on that later We are able to inject 17 bytes on the tracker Which could be potentially harmful because we could we can that way infect our tracker and propagate the infection to other devices and
38:00
We are able to use our tracker as a random number generator And that's it. You've got a few links there if you want to see some more The tools my tool will be posted in like a few days the time I get back home And then if we've got some time for questions
38:23
I'll be happy to answer and if some of you want to try to synchronize their tracker with The tool is possible as well
38:44
No question, or is it that I don't see the hands up. Yeah Yeah, so the question was it is it possible to apply it to other Fitbit trackers. Yes, it is
39:05
This work is applicable to any Fitbit tracker as far as I know I There are some specificities for some others Like they don't have the same device type. They don't have the same exactly the same headers
39:21
I haven't reversed exactly all of them, but Yes, they synchronize the same way you send the messages the same way It's globally the same way to communicate with a tracker They just do have some for instance for those with a screen you have some messages
39:43
Which are implemented on this one, but not used well on the surge for instance or on the charge Those packets are really useful and do something on the on the device
40:03
other question yeah I don't know what they're gonna do with that. They told me they would be fixing I
40:21
Talked with them first time it was in March March this year and They told me it was a bug not a security issue So I told them well, I don't mind as long as you fix it, so And they haven't fixed it yes, that's the only thing I know
40:49
Well, it's possible to update the firmware. Yeah I don't know if you so in the in the tool There I can get the firmware data well except that it's encrypted same thing so I
41:06
Can't make all the sense out of it yet, let me show you yeah, it's there It's get firmware data, so they have the way to update the firmware and Probably that what they will do do it that way patch and send a firmware update afterwards to people who?
41:26
are synchronizing I Guess it's the way they're gonna do it Does that answer your question any other question?
41:55
Yeah, it's I why have haven't I tried to hack the firmware. It's because it's encrypted
42:03
For now It leaves the tracker There it leaves it. It's already encrypted so when I see the bytes on the laptop it's already encrypted if I Have a look at them on the smartphone same. It's encrypted and when I discussed with
42:23
Some Fitbit security engineers they told me that they indeed They considered the laptop or the smartphone as outside the security enclosure So that they had encrypted it before which is actually I guess a good measure So it's encrypted and for now
42:41
I'm not even sure what algorithm. They are using it could be either aes or xt I am not sure of that. I haven't been able to locate The key they are using either and for that I need to to inspect the hardware
43:00
So that's why at the beginning We started like opening it and now we have to I get to be to probe the hardware to get something I haven't been able to see anything more with the software I can ask them for an update, but when I ask for an update it gets encrypted on my
43:25
On the tracker so comparing encrypted data is useless Yes, I can downgrade not so sure because there is at the beginning of
43:43
Yeah at the beginning of the packets. There's a sequence counter and For instance I tried some other times to do some replay attacks on steps like I record Every packet that is going to the Fitbit server while I've been doing 10 steps and try to replay that
44:02
With changing the sequence counters correctly, and it did not work, so I guess that it's more than just encryption there's probably in the encrypted packets either some timer or Something more, but it's not working if you replay it so it might not be possible to downgrade for the same reason
44:27
So have I tried other brands no I have not I have been playing with some other devices like Sony SmartWatch as well But the architecture is completely different it has absolutely no
44:45
Yeah, no relationship with the with a tracker To try other trackers. Yeah, it could be fun. Yeah Okay Okay, well I guess
45:03
That's all unless there's another one. Okay. Well. Thank you very much for attending then