Hacking BodyBugg fitness sensors to get around subscription fee

This arm cuff is a sensor package which logs data whenever you’re wearing it. It records accelerometer data, skin temperature, and galvanic skin response. That data can then be analyzed to arrive at figures like calories burned. But… The company behind the device seems to have included a way to keep the cash flowing. Once you buy it you can read the data off of the device using a Java program they supply. But you can’t erase the data from the device unless you subscribe to their online service. Once it fills up, it’s useless. [Doug] wasn’t happy with this gotcha, so he reverse engineered the technique used to clear the BodyBugg’s memory.

There had been a few previous attempts at reverse engineering the device but that groundwork didn’t really help [Doug] on his quest. He ended up disassembling the Java classes from the original program. This helped him figure out how to initialize communications. Once there he was happy to find that the device will tell you how to use it. If you issue an invalid command it will respond with a list of all valid commands. Everything you need to get up and running can be found in his github repo.

Comments

  1. Dr. DFTBA says:

    That’s funny.

    You:
    a;klsdnth

    It:
    Oops! Looks like you’re trying to hack me!
    if(normal company’s product)
    {
    ABORT! ABORT!
    }
    else
    {
    Oh! Here’s how you break into me properly! Thanks for your business :D
    You:
    Yeah, thanks for your help, I guess…

  2. Aaron E says:

    I am super-psyched about this. I have a BodyMedia sitting on my desk at home not doing anything because our free-trials ran out. This is what I’m doing tonight.

  3. n0lkk says:

    I’d like to think there was a righteous engineer that took a great risk, and left this vulnerable to hacking. Where this is vulnerable the engineer didn’t do his job from the from the viewpoint of management, and investors. Personally I care more about the engineer that I do investors are mere paper holders, and have no other interest in a company, it’s product and the employees that make the product, their only interest is the dividend check. Good companies manufacturing good product, will always have willing investors. While I may never have this product a thank you to Doug for sharing

    • Galane says:

      If too many people hack it, the continuing revenue stream drops to the point where the company no longer makes a profit. It closes up shop and the jobs of everyone involved in production and servicing of the device go *poof*.

      That’s the end result of “power to the people”.

      • John says:

        If lots of people are hacking them lots of people are buying the hardware, even if they don’t pay the subscription.

        • dan says:

          that doesn’t make sense if the hardware is sold at a loss to entice users to a subscription service.

          • qwerty says:

            You just unveiled the dark side of consumerism.

          • Will says:

            Which is a good reason for companies not to use this business model. If I buy a physical item, I own the physical item. I am under no legal or moral obligation to purchase any additional products or services.
            Companies need to learn that just because they want to be able to make money doing something a certain way doesn’t mean the rest of the world needs to oblige them. Supply and demand works both ways.

          • donhamilton says:

            I would like to know if the company has records of how many people actually re-new their subscriptions after the FREE time has expired.

            Did their business plan include a 50% re-new rate ??

            If they expected 90% re-new, their plan was broken from the start.

          • donhamilton says:

            I doubt they are selling at a loss.

            Maybe not a retail margin, but not a loss.

            A few months ago the got $12 Million in investment funding.
            http://techcrunch.com/2012/05/23/bodymedia-raises-12-million-funding-round-led-by-comcast-ventures/

            This device has been hacked for awhile now.

            Only this group is new to hacking it.

      • fartface says:

        They deserve that. Price the device at a a point where you make profit. Oh wait, your product sucks and is overpriced so people wont buy it at a point where you make profit? Wah, you deserve to go out of business then.

        • Bill Gander says:

          How about just not buying it? These devices are all overhyped garbage anyway. Just so ya can squeeze another 200 calories burned into your workout thru fuzzy math lol. Buy the one that says ya burned the most calories! Like others have said, kudos to the engineer on this one for leaving the door open.

        • donhamilton says:

          This business model if fine.

          They just need to know that some percentage of people will hack their devices.

          Some percentage of people will drop their subscriptions.

          Some percentage of people will stop using the device, but forget to drop their subscriptions.

          I need to check to see if the parent company is public, and see their annual report mentions these things.

  4. truebassb says:

    Nice hack.

    Wondering how much stupid this could have got… They sell devices like candies for 200$ plus and they want a monthly subscription?

    A nice way to get happy customers the first month,and boycotters since the second.

    • Ren says:

      And that is why I haven’t bought a smartphone…
      In order to sync a “smart”phone to my existing M$ Outlook[calendar,contacts] I was told I needed a $30(USD)/month subscription. Therefore I’d need to pay $360/year to have the same functionality I currently have with my “dumb”phone and my PDA (purchased for $10(USD)(used) several years ago. I admit, there is no direct link between my PDA and the phone to enable the phone to dial directly from an Outlook contact, but the 3 or 4 times I need to do it each year are less “inconvenient” than $360 for the same time period.

      • Bill Gander says:

        In case no one else tells you today, “You rock!” As a former razr/palmer myself, keep up the good times and skweezer for all of those pesky newfangled sites! I wish I remembered my final setup but after the initial setup, it worked pretty darn well. The wife got annoyed with syncing, though and eventually we replaced our phones with another round of dumbphones. Like yourself, the data plans are just not worth it to us as our cable internet is fing 50 bux a month (and I have a problem with that lol). Anyway, keep on keeping on man!

  5. Paul. says:

    In my opinion these kind devices are not really worth hacking.
    They should only be brought back to the shop for a refund.
    I did the same with my squeezebox about a year ago, it was not possible to use that thing without a subscription from logitech.

    • SliMP3 lover says:

      What? I’ve owned Sqeezebox devices ever since the original SliMP3. There’s no need for a subscription to play your own media files. Not sure why you would think one would be needed.

  6. Anyone care to write a Dummies for building this software type post somewhere for those of us that are programming-challenged? It would be greatly appreciated :)

    • bemasher says:

      I’m using eclipse to build the software, the only source file you need is the bodybuggbypass.java file. Just create a new java project and in the project properties add the external jars to the build path, should compile and run without too much fiddling.

  7. qwerty says:

    Thanks to that engineer, after the company will go bankrupt (all companies will, eventually) some of their products won’t become paperweights or – much worse – environmental hazards like most closed-hardware electronics do.

  8. sonofsmog says:

    Oh come one we have all left that stuff in to help us with development/debugging… The company won’t lose a dime because those of us that will bother to hack it wouldn’t pay for the service anyhow. Now off to eBay to find one ;-)

  9. Wilcorp70 says:

    This is not the first work on this device. The bodybugg and other rebadged versions (gofit, etc) were hacked a while ago with a simple program called freethebugg (search for it on facebook, no, really, facebook). Although the work done here definitely delves more into the nuts and bolts though. My wife and I have been using the freethebugg software for a while to use a second hand bodybugg without a subscription.

    Also, part of the reason the device might be so hacker friendly is that they actually licence the technology to other companies, making it more friendly for them to implement/change features is good business on that end.

  10. donhamilton says:

    Are there any pics of the internals ??

  11. justice099 says:

    Anyone succesfully get the second library? The link didn’t work for me. Talking about
    common-applets-1.10.0-SNAPSHOT.jar

  12. NewCommentor1283 says:

    vending machine:
    insert coins.
    or if coins unavaliable, insert dummy coins.
    lol thank you for the directions ;)

    but seriously, someone could make a serious profit off of this company

    • NewCommentor1283 says:

      PS: when people realise that their “affordable” $200 gizmo actually costs them 600$ over five years… (plus the $200)

      wow, $800 plus tax!!!!

      now that tiny 10$/mo doesnt look so small ;)

      PPS: in my opingion if a hardware device is utterly useless without it’s software, then the software should be free by law.

      that would show them

      • Whatnot says:

        Agreed on that PPS

        • aaroneiche says:

          Encompassing something like this in law gives it all kinds of additional problems. Which government agency becomes responsible for the enforcement of this law? How long is a company forced to provide support for a device? Who does it apply to? Companies? OSHW developers? What happens if the only software being made for a device is being made by an independent developer? Is he required by law to distribute it?

          Remember, this is a product that is available for voluntary purchase. No one is being forced into this.

          In truth, a lot of these problems are those faced by Public Domain works (which is another discussion entirely). Obligating individuals by law is very often a poor solution.

          • cde says:

            Simple:
            The Fcc.
            The companies are not forced to support a simple hardware device, but an online only service should have a minimum of x number of years, except in cases of actual bankruptcy (if they have a parent company, the parent company must take over).
            It applies to anyone selling a device with a stated purpose. Hell, it’s already called “implied warranty of merchantability”.
            Yes, they would be required to provide software for said purpose if said purpose only works like that.

            In practice, it is simple. Device x does y. Provide software/cd for said device. Software should not have a killswitch after x number of years. They don’t have to update it, it just has to work as stated on the intended os. My copy of photoshop 3 might be obsolete by a few generations of computer upgrades now, but If I pull out my old apple performa, I can still run it. I can still install Windows XP on any Pentium 3 computer. It’s not hard that SOMETHING SHOULD WORK AS DESCRIBED WITHOUT ARTIFICIAL LIMITATIONS. If I buy a camera today, it damn well better work with the same software on a computer 20 years from now, unless the camera or the computer physically break. This is no different.

            Look at MMORPG. They plainly state that a, online service is required, b, subscription is required, c, that it is limited to how ever long they decide to run a server.
            If Bodybugg put that on their packaging, in not-fine print, then they would be safe.

          • NewCommentor says:

            i meant more of a
            “you can not sue me for buying AND USING a used product”
            … even if the original disk was destroyed, outdated, ect

            as in make it LEGAL to resell software ONLY IF ACCOMPANIED WITH ORIGINAL HARDWARE

            as in most software is ORIGINAL PURCHASER ONLY
            second hand sale is illegal, but should not be, if the only thing the software does is communicate with a specific hardware device… one that has been paid for

    • hugowesseling says:

      It’s more like: Insert real coin, get can, then notice that you can only drink from can by paying 5 cents a sip.

      Therefore: break open can.

      They’re sneaky bastards. When going to the buying page, they mention the subscription fee in tiny font on the bottom: “**bodybuggSP personal calorie management system includes 6 months online subscription. Online subscription renewal fee is $6.95 for month to month.” And that is not even specifically saying the device will be useless without the fee. This is very close to misleading advertising.

  13. aaroneiche says:

    Body Media argues that they add the monthly value to your use of the device by continuing to refine the report of what you get out of your device. For instance, not too long ago they took their development team to spend time with the devices on execise bikes so they could improve the accuracy of the output you get from that (they have been notoriously inaccurate on exercise bikes and elliptical machines)

    I used a Body Media sensor for 3 months and loved it. My free subscription expired and I wasn’t willing to pay for it. That said, there’s more than just the raw data off the device at work here. It’s reasonable to say that a person could build their own set of algorithms to process the data further. But it’s not just Body Media/24 hr fitness taking everyone for a ride. There are advantages to the subscription model.

    • bemasher says:

      This is true, though for people who just want the device and the data it records you kind of get lumped into a more expensive business model. I for example was never interested in calorie calculations, I’m primarily using it for some research I’m doing on sleeping habits and how they’re affected by ambient//body temperature.

      • aaroneiche says:

        I agree completely. I haven’t found the competing products (Fitbit, Nike Fuel, etc) to provide the same level of data. I’m very pleased that you spent the time figuring out how to do this. You’ve provided a significant benefit to the community.

      • Adobe/Flash hater says:

        Bemasher: this likely isn’t applicable to your needs;
        But I found out , courtesy of the home wintertime T’stat wars and a bit of further noting as a solo occupant,
        what my optimum sleep temps were/are.
        For me, (Fahrenheit) 65 or below = best sleep.
        68 brings active, recallable dreams, that may awaken me during them
        and ambient noises easily awaken me.
        70 takes it to “common grade” nightmares.
        72~73 begins to set off the really bad ones,
        truly bizarre stuff that makes the internet look tame.

    • borko says:

      I have similar “problem” at work. My company is planning home automation server, but it won’t work without a subscription fee (it will connect to company’s servers for easy remote control over internet), what arguments could I use to convince my boss to include “offline” mode where you can have your own server and use it yourself in any way you need?

      • Derf says:

        There are never internet/telco interruptions? If the thing is useless without “calling the mothership” I’d be angry when a storm knocks out the internet connection, and I can’t turn lights on, run heat/ac, etc.

      • polossatik says:

        ueh,things like “if provide an open api/decent interface doc you will then actually sell stuff to geeks who will play with it, recommend it to their non tech friend (who will pay the fee seen they don’t want to setup own servers, router config, etc and want to simply use it) and do silly thing with it that is then featured on high trafic sites like Had, make , intructables etc?”
        note that i’m not talking about having a dumb down “no sub” mode but allowing people to actually interface with it and mod it/adapt it/etc

      • Matt says:

        Well, if the hardware is designed as a human interface device with just enough ‘brains’ in the house to run essential functions without the outside link, then what he is really selling is the algorithm that is only run on his servers. That algorithm/service is simple to keep a trade secret, so all he has to do is make sure his version is better than any open source version that happens to pop up. Hell…release the API and invite other companies to make compliant devices. Let them worry about hardware development, inventory and supply chain headaches. Then, once you have a huge database of user energy usage stats, sell the whole thing to google and retire.

      • M H says:

        There are plenty of parts of the US where broadband is not available, you are
        stuck using dialup. Don’t know what your market is, but even if it is fancy homes – there are plenty of fancy homes built out in the country.

        Security would be another angle. If your system has to be accessible from the internet,
        then it is more open to hacking (monitoring by outsiders, or even control by unauthorized users). So being able to run your own server would be selling point for those who are
        security conscious, or paranoid.

        (After “the big one” it would be a real downer if the zombies got control of your home,
        or if you couldn’t use your toys because the companies servers got fried.)

        Future proofing – companies come and go. I wouldn’t put my data in a cloud/server/whatever that I couldn’t get it back out of. Likewise, wouldn’t buy a
        home automation system, alarm, etc. that I couldn’t keep using after the company goes belly up. Your boss may not like that approach – but there are consumers out there
        who think ahead.

  14. xorpunk says:

    The github is missing the actual classes, must be licensing issues. I don’t see any actual protection through the Java code though, looks like it works off a time-stamp checkum in firmware, you change it through the class call and it writes again; class call uses JVM serial class.

    I would of disabled OCD and used PKI or ECDSA with server-responses that set bit-fields ^^

    Also I think it’s funny everyone flaunts their supposed tech knowledge but show how noob(or never-employed) they are bye realizing all tech funding comes from marketing and business modeling…

    • bemasher says:

      I omitted any of the class files BodyMedia created after finding the DMCA notice issued to remove FreeTheBugg’s documentation and source code from google docs. They got it all removed because the FreeTheBugg jar had verbatim copies of the classes from the applet jars used for uploading data to their service.

  15. Scuffles says:

    OK if Bodybugg wanted to charge for updates to their phone app that would have been one thing. Instead they decided if you aren’t subscribed they are going to cripple your device…. Sorry that is just disgusting.

    • RDZombie says:

      agreed, i really dislike companies that use these, “screw the customer” tactics

      • donhamilton says:

        I would bet that most of the people that bought this device, don’t care about what we do with our purchases. As long as they get what they wanted and do not have to work for it.

        At <$10 month, that's not very much work for what they are getting. Now how much work have you put in to hacking this thing ?

        And what will you get out of it ?

        Please, go hack the world, I love it !

        But, don't dis the man just because YOU can't or don't WANT to pay for his service.

        Lets just get back to hacking.

  16. Jimmy the Geek says:

    I wonder how long it take before it is a crime to interferre with a business model.

    • dan says:

      if you have to agree to an EULA to use the software, and that EULA forbids reverse engineering. uh, right now?

    • M H says:

      Consider some of the draconian aspects of US intellectual property law regarding organisms (think seeds). In parts of the country you can not grow soy beans from your own saved seed because there are enough other growers that use seed that is certain companies intellectual property so that if your beans get pollinated by their seed, then they haul you in to court for violating their IP. (Even though they are the ones who let their IP blow around in the wind, or be carried off by insects).

      Or look at some of the food libel laws. (You have to be really careful what you say about certain types of products.)

      (i.e. it already is a crime in some areas).
      http://www.cspinet.org/foodspeak/

  17. NewCommentor says:

    in USA, companys steal personal information

    in soviet russia, you pay the company to take your data (away)
    er wait… not russia lol

  18. CG says:

    Great, just when the MyBasis comes out.

    • bemasher says:

      I wouldn’t worry about it too much, the MyBasis is twice as expensive and is sold out until christmas. Although it records heart rate optically without any external devices and they’re developing an API to access your data.

  19. Bob says:

    cant find the jars that are required. any one know where else to get them?

  20. bemasher says:

    I’ve updated the links on both my blog and github to point to the new versions of the jars. However, I’ve not had a chance to test them with the application, so I’m not sure if they’ll work without modifying the code.

  21. Bob says:

    When I try to run it (using the 1.11 version of the jars, and “java -jar bodybuggbypass.jar”), I get the following error:

    “Exception in thread “main” java.lang.NoClassDefFoundError: com/bodymedia/common/
    applets/CommandException”

    Is this due to the new jars? Or just me doing something wrong?

  22. Mark says:

    The bodymedia jars are gone now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,391 other followers