Create your own Fitness Tracker Firmware: Reverse-Engineering the Fitbit Flex

Presented at REcon 2018, June 17, 2018, 5 p.m. (30 minutes)

The Fitbit ecosystem is briefly introduced to show how server, tracker and smartphone app work under normal conditions when transferring all data to the proprietary Fitbit cloud. We explain in detail how we reverse-engineered Fitbit Flex firmware, including functions such as encryption libraries, BLE communication, proprietary protocol parsing, and accelerometer processing. Apart from understanding the software running on the trackers we also introduce modifications in the firmware via binary patching. We show how we modified the Nexmon framework to alter Fitbit firmware. A demonstration of wirelessly flashing custom firmware on a Fitbit Flex is shown. Firmware flashing requires understanding of the proprietary protocol, encryption, and a bunch of validity checks. In contrast to wired flashing, no hardware teardown is required. We publish new firmware modifications along with this talk that enable raw accelerometer readings.

Presenters:

• Jiska Classen
  Jiska Classen is working on her PhD at the Secure Mobile Networking Lab, with topics covering wireless and IoT security. She started reverse-engineering Fitbit firmware to enable encrypted wireless firmware flashing.
• Daniel Wegemer
  Daniel Wegemer likes reverse engineering in general. Former work includes the development of the Nexmon framework and an NFC relay app called “NFCGate”.

Links:

• https://recon.cx/2018/montreal/schedule/events/118.html

Similar Presentations:

• REcon 2023 / Enabling Security Research on Qualcomm Wifi Chips
• Black Hat USA 2015 / Using Static Binary Analysis to Find Vulnerabilities and Backdoors in Firmware
• Summercon 2010 / Fracking Flex