Reverse Engineering the Nike+ FuelBand's Communications Protocol

An anonymous reader writes: Security researcher Simone Margaritelli has reverse engineered the Bluetooth low-energy communications protocol for his Nike+ FuelBand SE, a wrist-worn activity tracker. He learned some disturbing facts: "The authentication system is vulnerable, anyone could connect to your device. The protocol supports direct reading and writing of the device memory, up to 65K of contents. The protocol supports commands that are not supposed to be implemented in a production release (bootloader mode, device self test, etc)." His post explains in detail how he managed this, and how Nike put effort into creating an authentication system, but then completely undermined it by using a hard-coded token. Margaritelli even provides a command list for the device, which can do things like grab an event log, upload a bitmap for the screen, and even reset it.

Undermined security w/ hardcoded token?

Developer: That's insecure.
Phil Knight: Just do it.

Is anybody surprised?

[gstoddart]

In what way should anybody be surprised that a wearable, wireless device has implemented security in a completely incompetent way?

These are products which are intended to be cool, shiny, and pretty ... but secure? Not even a little.

I continue to be unsurprised by this crap, and I continue fairly firm in my indifference to owning any of this stuff ... and the same goes the for "Interweb of Stuff"; I assume that out of the gate it's going to be insecure and stupid.

Unless companies have actual legal liability for shit security, you'll continue to see shit security.

So just don't buy it if you value security or privacy -- because they're all pretty much designed to upload your information to analytics companies anyway.

Re:So, what's the practical concern of this?

[oodaloop]

I work in a secure facility, and activity tracking wristbands (among many other things) are forbidden.

Data mule-ing and brick-ing?

[xxxJonBoyxxx]

As I understand the analysis, this exploit could be used to turn Fuelbands into data mules. It could also let someone temporarily brick all the Fuelbands within range (could be fun at the start of a marathon or at the gym).

>> Cmd_Bootloader: Set the device to bootloader mode ( basically it locks down the device, the official app won't work either ... only resetting it with the usb cable will unlock it ).
>> Cmd_SampleStore: Use the device memory to store a custom object (!!!)

Didn't they learn the lesson of the PC?

[zoffdino]

This whole IoT concept is treating security as a joke. In the first of wave computing, the mini-computers (particularly Windows) treated security as an after-thought. That created the virus-laden era of the 1990s and early 2000s. The second wave, the "new" smart phone, learned the lessons, and use sandboxes, walled garden, permissions, encryption, tokenization, etc. pervasively. It's not fool-proof but at least the door is locked. Now we are approaching the third wave, the Internet of Things, and manufacturers think these devices are so personal that no security is needed. What do they say about people who don't learn any history?

Re:OMG the Horror!

[AchilleTalon]

Better, you can let him think he hasn't burn enough calories and make him running forever.

Re:screw fitness bands.

[tlhIngan]

the privacy policy insists they sell de-identified data (because metadata is a dirty word these days) to third parties

Metadata is NOT de-identified data. Metadata is data about data, while de-identified data is anonymized data.

Metadata would be for example how often and when you upload your results to their website, but nothing on what you ran or for how long and all that (that's data). The data itself would be your track, pace, location and all that information, tied to you.

De-identifying the data would mean advertisers get access to your track, pacing and other stuff, but with no name attached, and maybe even missing a few reporting points so your address isn't obvious by looking at the endpoints.

It's not that metadata is a bad term - it's reasonably accurate because it's the difference between say, a pen recorder and a wiretap recorder (ohe records details about the call, the other records the call itself). Or recording IP headers over recording packet contents.

You deal in metadata a lot - a file name is metadata - it's not a part of the file's contents (the data), just like the date and other details. You can get access to file metadata quite easily even if you can't read the file itself (and it's not possible to read the file without being able to access the metadata).