Presented at
REcon 2018,
June 17, 2018, 5 p.m.
(30 minutes).
The Fitbit ecosystem is briefly introduced to show how server, tracker
and smartphone app work under normal conditions when transferring all
data to the proprietary Fitbit cloud.
We explain in detail how we reverse-engineered Fitbit Flex firmware,
including functions such as encryption libraries, BLE communication,
proprietary protocol parsing, and accelerometer processing.
Apart from understanding the software running on the trackers we also
introduce modifications in the firmware via binary patching. We show
how we modified the Nexmon framework to alter Fitbit firmware.
A demonstration of wirelessly flashing custom firmware on a Fitbit
Flex is shown. Firmware flashing requires understanding of the
proprietary protocol, encryption, and a bunch of validity checks. In
contrast to wired flashing, no hardware teardown is required.
We publish new firmware modifications along with this talk that enable
raw accelerometer readings.
Presenters:
-
Jiska Classen
Jiska Classen is working on her PhD at the Secure Mobile Networking Lab, with topics covering wireless and IoT security. She started reverse-engineering Fitbit firmware to enable encrypted wireless firmware flashing.
-
Daniel Wegemer
Daniel Wegemer likes reverse engineering in general. Former work includes the development of the Nexmon framework and an NFC relay app called “NFCGate”.
Links:
Similar Presentations: