Reverse Engineering the Nike+ FuelBand's Communications Protocol

An anonymous reader writes: Security researcher Simone Margaritelli has reverse engineered the Bluetooth low-energy communications protocol for his Nike+ FuelBand SE, a wrist-worn activity tracker. He learned some disturbing facts: "The authentication system is vulnerable, anyone could connect to your device. The protocol supports direct reading and writing of the device memory, up to 65K of contents. The protocol supports commands that are not supposed to be implemented in a production release (bootloader mode, device self test, etc)." His post explains in detail how he managed this, and how Nike put effort into creating an authentication system, but then completely undermined it by using a hard-coded token. Margaritelli even provides a command list for the device, which can do things like grab an event log, upload a bitmap for the screen, and even reset it.

OMG the Horror!

[Anonymous Coward]

Now we know how many Calories he burned. we are doomed...

Re:OMG the Horror!

[AchilleTalon]

Better, you can let him think he hasn't burn enough calories and make him running forever.

Re:

[Virtucon]

That's what I was thinking. Another "researcher" looking for publication.

Re:

[itzly]

It's easier to take that from a phone.

Re:

[Anonymous Coward]

Except this device doesn't have GPS.

Re:

[rthille]

No GPS, but I'm guessing that if you can get the raw accelerometer data from one of these devices over a long enough time, you could map out where they've been....

Re:

[macs4all]

Now we know how many Calories he burned. we are doomed...

Exactly!

Does EVERYTHING have to have the utmost in security?

What I didn't see was any mention of "personal information" or "remote code injection/execution" that MIGHT call for strong encryption.

So the question for Nike becomes "How much will having a bigger, faster microcontroller to encode/decode secure communications cost us (and therefore the consumer)?"

And is it necessary?

Re:

[cusco]

I wouldn't worry so much about the security of data on the device as much as once it's paired with your other devices you have a security hole inside your network that is trusted by your phone, laptop, whatever. Printers and security cameras have already been exploited to attack networks from the inside, this is yet another opportunity waiting to be exploited.

Undermined security w/ hardcoded token?

[Anonymous Coward]

Developer: That's insecure.
Phil Knight: Just do it.

So, what's the practical concern of this?

[TWX]

Are people going to reverse-engineer these things so that when they're worn into secure facilities, they inject-attack systems in the secure facility?

Are they going to act as a vector to attack other Bluetooth Low Energy capable security systems?

I simply want to know what kind of maliciousness can be achieved through exploiting bugs in a very, very special-purpose device.

Re:

[Mr D from 63]

Yeah, I wonder why a lack of rock solid authentication for this particular device so "disturbing"?

Re:

[DarkOx]

That was my first thought too. There is an obvious privacy, implication. Maybe in some really contorted situation you could induce someone to do something dangerous like convince a diabetic they have done a whole ton of walking this morning and therefore should eat more sugar than normal and similar attacks.

I think the big issue is the potential to use this as a vector to introduce malware to the phone or PC the owner interfaces the device with. Not sure how practical that is.

Re:

[gmack]

I think the big issue is the potential to use this as a vector to introduce malware to the phone or PC the owner interfaces the device with. Not sure how practical that is.

The big issue will be that people will use this to display rude things on random people's armbands.

Re:

[Frosty Piss]

The big issue will be that people will use this to display rude things on random people's armbands.

So you are saying the Anonymous script kiddies will use this to advance their devilish plan to "out" pedos and bring down ISIS?

Re:

[CaptainDork]

The real issue is the inherent philosophy that the Internet of Things is such a trivial group of devices that security is not important.

What's the threshold, and who establishes that?

It's obviously an important discussion, given the attention it has generated.

Re:

[TWX]

Oh, for that I definitely agree, there is a very specific point where that security needs to take place. I just don't think that a bluetooth wrist band that is supposed to only intermittently connect to a host device (not even directly to the Internet) is that place. I'd rather see wireless keyboards and mice see their communications secured before I worry about this thing.

Re:

[BronsCon]

issue or benefit?

Re:

[amias]

such as reebok logos ?

Re:

[Anonymous Coward]

IDK, might be fun to make them all display custom messages. Simple app could harvest the device nonces in the area and then upload custom messages to each one using Cmd_UploadGraphic. Lots of laughs at the gym.

Re:So, what's the practical concern of this?

[CastrTroy]

It's interesting that you bring that up. Many secure facilities won't allow people to bring in cell phones or other devices. But it's actually quite hard to distinguish some regular wrist watches from one with cameras or communications devices in them. I think if you really want to have a "secure" facility, then you pretty much have to limit people to bringing in no electronic devices whatsoever.

Re:

[TWX]

I expect that such facilities are helping to keep the paging industry going. That long with drug dealers...

Re:

[amias]

if you have a secure facility that allows random bluetooth accessories to connect to it , its not a secure facility its a bad joke.

Re:So, what's the practical concern of this?

[oodaloop]

I work in a secure facility, and activity tracking wristbands (among many other things) are forbidden.

Re:

[Anonymous Coward]

I work in a secure facility, and activity tracking wristbands (among many other things) are forbidden.

What about posting to Slashdot on the clock?

Re:

[Anonymous Coward]

I work in a secure facility, and activity tracking wristbands (among many other things) are forbidden.

What about posting to Slashdot on the clock?

You mean this isn't WikiLeaks?!? Oh for fucks sake, I'm ruined!

Data mule-ing and brick-ing?

[xxxJonBoyxxx]

As I understand the analysis, this exploit could be used to turn Fuelbands into data mules. It could also let someone temporarily brick all the Fuelbands within range (could be fun at the start of a marathon or at the gym).

>> Cmd_Bootloader: Set the device to bootloader mode ( basically it locks down the device, the official app won't work either ... only resetting it with the usb cable will unlock it ).
>> Cmd_SampleStore: Use the device memory to store a custom object (!!!)

Re:

[kesuki]

"this exploit could be used to turn Fuelbands into data mules."

all 65k of memory they have too sure you can fit a forkbomb but a 65k data mule?

Re:

[charlieo88]

Johnny Mnemonic?

Reversal of Fortune

[SuperKendall]

Good god man, with the protocol fully in the hands of hackers they can reverse the bluetooth polarity flow - either shifting it to red through acceleration to burn your wrist, or even worse with the reversed flow affecting the heart rate monitor the hackers have full control of your heart rate!

Think everyone wearing a FuelBand as now living either a Logan's Run or Running Man scenario...

Re: So, what's the practical concern of this?

[WindBourne]

In general, somebody who has loads of money will make use of these bands. Now, if I wanted to take a rich person as hostage for a payoff, I might get somebody close to them to simply change out some code. That way when rich person is walking around and device gets a signal, it says, here I am. Basically, an easy tracking device.

Re:

[TWX]

What's the range on it though? This is a low-power specification after all; you'd have to be right on top of them to detect it so you'd already know where they are.

You can change the booloader?

[Anonymous Coward]

So, does it run Linux yet?

Re:evil gen[i]us

[Anonymous Coward]

nevermind... the modified subject says it all

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[itzly]

Surely, the logical extension is that they send you to a death camp for not having perfect health.

Re:

[Qzukk]

Death camp implies that they're interested in spending money on killing you when there's a perfectly serviceable gutter for you to crawl into.

Re:

[itzly]

Of course, they want to prevent you from spreading your inferior genes.

Re:

[sjames]

Keep in mind that the better insurance gets at assessing risk, the less value it has.At some point they get the risk pinned down with sufficient accuracy that you come out better by putting the premiums into a savings account until needed.

Of course the root problem is mistaking insurance for a solution to outrageously overpriced healthcare.

Re:screw fitness bands.

[tlhIngan]

the privacy policy insists they sell de-identified data (because metadata is a dirty word these days) to third parties

Metadata is NOT de-identified data. Metadata is data about data, while de-identified data is anonymized data.

Metadata would be for example how often and when you upload your results to their website, but nothing on what you ran or for how long and all that (that's data). The data itself would be your track, pace, location and all that information, tied to you.

De-identifying the data would mean advertisers get access to your track, pacing and other stuff, but with no name attached, and maybe even missing a few reporting points so your address isn't obvious by looking at the endpoints.

It's not that metadata is a bad term - it's reasonably accurate because it's the difference between say, a pen recorder and a wiretap recorder (ohe records details about the call, the other records the call itself). Or recording IP headers over recording packet contents.

You deal in metadata a lot - a file name is metadata - it's not a part of the file's contents (the data), just like the date and other details. You can get access to file metadata quite easily even if you can't read the file itself (and it's not possible to read the file without being able to access the metadata).

Is anybody surprised?

[gstoddart]

In what way should anybody be surprised that a wearable, wireless device has implemented security in a completely incompetent way?

These are products which are intended to be cool, shiny, and pretty ... but secure? Not even a little.

I continue to be unsurprised by this crap, and I continue fairly firm in my indifference to owning any of this stuff ... and the same goes the for "Interweb of Stuff"; I assume that out of the gate it's going to be insecure and stupid.

Unless companies have actual legal liability for shit security, you'll continue to see shit security.

So just don't buy it if you value security or privacy -- because they're all pretty much designed to upload your information to analytics companies anyway.

Re:

[justthinkit]

In what way should anybody be surprised that a wearable, wireless device has implemented security in a completely incompetent way?

Right. Since Fitbit wearers are the product, to a vast array of companies wanting personal information, it sounds like the Fitbit is designed exactly how they want it designed -- to increase the value of Fitbits in the ultimate marketplace.

A locksmith sells few keys to secure locks...

Re:

[thegarbz]

Yep I'm totally going to sue Nike because someone can change settings or read how many calories I burn on my fuel band. My privacy is so important.

Look I'm all for privacy, but it gets to a point where I just don't give a shit about someone knowing some details.

I go to the gym three times a week, run about 4km at 6min/km, then row 1km, and cycle 5km. There you are, out for all to see. About the only thing else you'll get from my fuel band is that I actually skipped gym last Thursday.

Now if we were talking a

Re:

[stephenpeters]

So just don't buy it if you value security or privacy

Or if you are part of the Slashdot audience just wait until the wearable device is being dumped on eBay by people upgrading to the latest shiny thing. Then if someone has written a library for the device you want that provides access to the data stream buy it at a significant discount. You can then allow it to only pair with a secure device at home, avoiding the manufacurers crapware and keeping your data private.

Cool.

[the_skywise]

I've got one of these and I honestly don't care if the band isn't secure. Sure they can get my motion data and I'm sure some nefarious insurance company could install bluetooth readers worldwide to pilfer my data, confirm that I'm not moving enough and raise my rates but... heck any good scale and heart rate meter would tell you that and probably be a lot more useful.

But now that it's been cracked -
I'd like to see somebody use this to make an android version of the software.

I'd like to see somebody interface with the iPhone better so when I get a call it could display the name of the caller or an appointment reminder on my band (ooh, wotta concept!)

And maybe, just maybe somebody would write a download tool that'd COLLECT THE DATA BETTER THAN NIKE DOES!!!! Because right now I average about 1 bad read a month. (Killer if you're trying to go for the consecutive days award or, y'know, actually, accurately *monitor* your activity levels)

Re:

[rthille]

Um, he decompiled the Android version of the app to figure out that the device was insecure...

Fuck it, who fucking cares about that token anyway

[burtosis]

Let's just use 0xff 0xff 0xff 0xff 0xff 0xff .... !

I laughed pretty damn hard. Best laugh I've had today.

Didn't they learn the lesson of the PC?

[zoffdino]

This whole IoT concept is treating security as a joke. In the first of wave computing, the mini-computers (particularly Windows) treated security as an after-thought. That created the virus-laden era of the 1990s and early 2000s. The second wave, the "new" smart phone, learned the lessons, and use sandboxes, walled garden, permissions, encryption, tokenization, etc. pervasively. It's not fool-proof but at least the door is locked. Now we are approaching the third wave, the Internet of Things, and manufacturers think these devices are so personal that no security is needed. What do they say about people who don't learn any history?

Re:Didn't they learn the lesson of the PC?

[itzly]

Those who learned from history are doomed to watch others repeat it.

Re:

[thegarbz]

the Internet of Things, and manufacturers think these devices are so personal that no security is needed.

And you know what, in many cases I agree with them. Oh and the fuel band can hardly be considered an IoT device. It's just a datalogger. Actually it's a datalogger for some really mundane and boring data about someone.

Re:

[burtosis]

Hardly surprising. It's already well established that electrical engineers write lousy code. Granted, the tools for developing for embedded systems are beyond crappy and embedded microcontrollers are extremely cramped but that's still no excuse for ignoring well understood engineering practices in relation to security.

The real question is how many security incidents will need to occur before the industry is motivated to fix the problem.

Yes electrical engineers on average don't write code as well as developers but no one with a real degree writes code this stupidly. It smacks of a management decision.

Re:

[svirre]

Actually it looks like a manufacturing managers decision. Somone writes code that depend on that manufacturing needs to inject and track unique keys for each device. Manufacturing sees this and realizes they actually need to earn their keep and set up infrastructure to support product requirements, instantly balks, and force through a security hole they neither understand or care about.

Re:

[rthille]

Doubtful. You can use bluetooth to set the device into bootloader mode, but you can clear that by plugging it into USB, so the initial setup via USB (required, IIRC) could set the private key into the device.

Targeting the DIY community?

[macxcool]

They're trying to capitalize on all the interest from the DIY community. Someone will hook it up to a Raspberry Pi and make it do something it was never intended to do.

Re:

[burtosis]

Yes like bricking everyone's band as they run past at a marathon or popular path. Perhaps adding a mandatory PWNT message on the band.

Im thinking this is an unintended concequence of a smug and vindictive type benevolent overseer decision.

There are better ways to get DIY support IMO.

Re:

[itzly]

Yes like bricking everyone's band as they run past at a marathon or popular path

Sounds like a lot of work, when you can just throw a rock at them.

The problem being that anybody could break it

[martinmarv]

It costs (guessing, CBA to check) $100, and anybody walking (/swimming/sitting) near you could potentially break your device, and brick it so it becomes useless. That kinda sucks.

Re:

[rthille]

It's only bricked until you plug it into USB and then you can reflash the firmware

Excellent!

[real gumby]

This is the one device that has support wired into iOS (e.g. the healthkit). Now other wearable makers can get their data straight into the phone!