Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reverse Engineering the Nike+ FuelBand's Communications Protocol

Posted by Soulskill on from the talking-to-the-wrist dept.

An anonymous reader writes: Security researcher Simone Margaritelli has reverse engineered the Bluetooth low-energy communications protocol for his Nike+ FuelBand SE, a wrist-worn activity tracker. He learned some disturbing facts: "The authentication system is vulnerable, anyone could connect to your device. The protocol supports direct reading and writing of the device memory, up to 65K of contents. The protocol supports commands that are not supposed to be implemented in a production release (bootloader mode, device self test, etc)." His post explains in detail how he managed this, and how Nike put effort into creating an authentication system, but then completely undermined it by using a hard-coded token. Margaritelli even provides a command list for the device, which can do things like grab an event log, upload a bitmap for the screen, and even reset it.

5 of 78 comments (clear)

  1. Re:So, what's the practical concern of this? by CastrTroy · · Score: 3, Insightful

    It's interesting that you bring that up. Many secure facilities won't allow people to bring in cell phones or other devices. But it's actually quite hard to distinguish some regular wrist watches from one with cameras or communications devices in them. I think if you really want to have a "secure" facility, then you pretty much have to limit people to bringing in no electronic devices whatsoever.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  2. Is anybody surprised? by gstoddart · · Score: 4, Insightful

    In what way should anybody be surprised that a wearable, wireless device has implemented security in a completely incompetent way?

    These are products which are intended to be cool, shiny, and pretty ... but secure? Not even a little.

    I continue to be unsurprised by this crap, and I continue fairly firm in my indifference to owning any of this stuff ... and the same goes the for "Interweb of Stuff"; I assume that out of the gate it's going to be insecure and stupid.

    Unless companies have actual legal liability for shit security, you'll continue to see shit security.

    So just don't buy it if you value security or privacy -- because they're all pretty much designed to upload your information to analytics companies anyway.

    --
    Lost at C:>. Found at C.
  3. Re:So, what's the practical concern of this? by oodaloop · · Score: 4, Insightful

    I work in a secure facility, and activity tracking wristbands (among many other things) are forbidden.

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  4. Didn't they learn the lesson of the PC? by zoffdino · · Score: 4, Insightful

    This whole IoT concept is treating security as a joke. In the first of wave computing, the mini-computers (particularly Windows) treated security as an after-thought. That created the virus-laden era of the 1990s and early 2000s. The second wave, the "new" smart phone, learned the lessons, and use sandboxes, walled garden, permissions, encryption, tokenization, etc. pervasively. It's not fool-proof but at least the door is locked. Now we are approaching the third wave, the Internet of Things, and manufacturers think these devices are so personal that no security is needed. What do they say about people who don't learn any history?

    1. Re:Didn't they learn the lesson of the PC? by itzly · · Score: 3, Insightful

      Those who learned from history are doomed to watch others repeat it.