We explain the Fitbit security architecture, including the most important communication paradigms between tracker, app, and server. Our talk focuses on the tracker itself and its wireless interfaces, nevertheless it is important to understand the roles of the other components to successfully imitate them.
Custom firmware makes fitness trackers the ultimate geek toy, including the possibility to improve security and privacy. We show how we reverse-engineered the wireless firmware flashing process, as well as setting up a Nexmon-based environment for developing custom firmware. A short demo shows how wireless flashing works, including potentials of the modified firmware.
We also release a smartphone application supporting a subset of the demonstrated attacks, including the possibility for users to extract some of their fitness tracker data without sharing it with Fitbit. This is a huge step towards privacy on wearables. Apart from the app we will also release everything necessary to patch your Fitbit firmware, enabling users to develop more secure mechanisms protecting their data.