Create your own Fitness Tracker Firmware: Reverse-Engineering the Fitbit Flex

Presented at REcon 2018, June 17, 2018, 5 p.m. (30 minutes).

The Fitbit ecosystem is briefly introduced to show how server, tracker and smartphone app work under normal conditions when transferring all data to the proprietary Fitbit cloud. We explain in detail how we reverse-engineered Fitbit Flex firmware, including functions such as encryption libraries, BLE communication, proprietary protocol parsing, and accelerometer processing. Apart from understanding the software running on the trackers we also introduce modifications in the firmware via binary patching. We show how we modified the Nexmon framework to alter Fitbit firmware. A demonstration of wirelessly flashing custom firmware on a Fitbit Flex is shown. Firmware flashing requires understanding of the proprietary protocol, encryption, and a bunch of validity checks. In contrast to wired flashing, no hardware teardown is required. We publish new firmware modifications along with this talk that enable raw accelerometer readings.

Presenters:

  • Jiska Classen
    Jiska Classen is working on her PhD at the Secure Mobile Networking Lab, with topics covering wireless and IoT security. She started reverse-engineering Fitbit firmware to enable encrypted wireless firmware flashing.
  • Daniel Wegemer
    Daniel Wegemer likes reverse engineering in general. Former work includes the development of the Nexmon framework and an NFC relay app called “NFCGate”.

Links:

Similar Presentations: