Reverse Engineering the Nike+ FuelBand's Communications Protocol

An anonymous reader writes: Security researcher Simone Margaritelli has reverse engineered the Bluetooth low-energy communications protocol for his Nike+ FuelBand SE, a wrist-worn activity tracker. He learned some disturbing facts: "The authentication system is vulnerable, anyone could connect to your device. The protocol supports direct reading and writing of the device memory, up to 65K of contents. The protocol supports commands that are not supposed to be implemented in a production release (bootloader mode, device self test, etc)." His post explains in detail how he managed this, and how Nike put effort into creating an authentication system, but then completely undermined it by using a hard-coded token. Margaritelli even provides a command list for the device, which can do things like grab an event log, upload a bitmap for the screen, and even reset it.

So, what's the practical concern of this?

[TWX]

Are people going to reverse-engineer these things so that when they're worn into secure facilities, they inject-attack systems in the secure facility?

Are they going to act as a vector to attack other Bluetooth Low Energy capable security systems?

I simply want to know what kind of maliciousness can be achieved through exploiting bugs in a very, very special-purpose device.

screw fitness bands.

[nimbius]

from a social standpoint these devices are near and helpful. From a FOSS standpoint these devices are intrusive and treat their users like cattle. Check out Fitbit for example, the largest provider of digital harvesting/tracking hardware. the privacy policy insists they sell de-identified data (because metadata is a dirty word these days) to third parties. So if you're wondering why health insurance companies are pushing biometric competitions at the workplace using subsidized devices its because your health is not their primary concern. Determining an accurate insurance rate for a component of workers that are at heightened risk for diabetes, heart attack, and alzheimers is what they care about. Your corporation in turn cares about your health, and might reward you with water bottles or gift cards to sporting goods stores that, in turn, might turn into a newer fitbit/fuel.

the protocol used to affect data and function of the device is trivial, Galileo and libfitbit hacked this a few years ago. The real problem is your biometric data which is transferred across the device in an AES/md5 header encrypted blob. This violates countless freedoms of the application, starting with 0. The key to decrypt this data doesnt exist for you, and hence you're tethered to a website and a product that if it were ever usurped by say, fitness applications on your phone, would go bankrupt, shutter its doors, and leave you with a nice chunk of plastic that showed numbers and belched motivational platitudes. the real work in these devices should be decrypting the collected data without the use of the companies respective servers and web resources.