Hacking The Nike+ Fuelband

[Simone] was trying to reverse-engineer the Bluetooth protocol of his Nike+ Fuelband and made some surprising discoveries. [Simone] found that the authentication system of the Fuelband can be easily bypassed and discovered that some low-level functions (such as arbitrarily reading and writing to memory) are completely exposed to the end user or anyone else who hacks past the authentication process.

[Simone] started with the official Nike app for the Fuelband. He converted the APK to a JAR and then used JD-Gui to read the Java source code of the app. After reading through the source, he discovered that the authentication method was completely ineffective. The authenticator requires the connecting device to know both a pin code and a nonce, but in reality the authentication algorithm just checks for a hard-coded token of 0xff 0xff 0xff 0xff 0xff 0xff rendering the whole authentication process ineffective.

After he authenticated with the Fuelband, [Simone] started trying various commands to see what he could control over the Bluetooth interface. He discovered that he could send the device into bootloader mode, configure the RTC, and even read/write the first 65k of memory over the Bluetooth interface–not something you typically want to expose, especially with a broken authentication mechanism. If you want to try the exploit yourself, [Simone] wrote an Android app which he posted up on GitHub.

15 thoughts on “Hacking The Nike+ Fuelband

  1. Nike is world world renowned for their security, unfortunately it is only for grip in their runners. It is like as an after thought they decided to add some security, not good security, but some. Good security starts day one of design, not something that is bolted on at the eleventh hour. – https://xkcd.com/221/

  2. Why would you care about security for a device like this anyway? A regular user won’t care and anyone looking to get more out of it will be happy. Unless Nike starts selling hardware equivalent versions with moar features.

  3. At first, I was unimpressed. I mean it’s a good hack, but what can you do with a fuel band? Then I looked up what the fuel band does: it stays permanently synced to your phone. Seems like it might be a way to get past some of the security on someone’s phone or laptop.

  4. I bought a fuel band off ebay that has been factory reset. Of course now that I know Nike connect has been abandoned, its pretty much useless unless I can figure out how to set it up. Am I just screwed?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.