Opt-Out Fitness Data Sharing Leads to Massive Military Locations Leak

People who exercise with fitness trackers have a digital record of their workouts. They do it for a wide range of reasons, from gathering serious medical data to simply satisfying curiosity. When fitness data includes GPS coordinates, it raises personal privacy concerns. But even with individual data removed, such data was still informative enough to spill the beans on secretive facilities around the world.

Strava is a fitness tracking service that gathers data from several different brands of fitness tracker — think Fitbit. It gives athletes a social media experience built around their fitness data: track progress against personal goals and challenge friends to keep each other fit. As expected of companies with personal data, their privacy policy promised to keep personal data secret. In the same privacy policy, they also reserved the right to use the data shared by users in an “aggregated and de-identified” form, a common practice for social media companies. One such use was to plot the GPS data of all their users in a global heatmap. These visualizations use over 6 trillion data points and can be compiled into a fascinating gallery, but there’s a downside.

This past weekend, [Nathan Ruser] announced on Twitter that Strava’s heatmap also managed to highlight exercise activity by military/intelligence personnel around the world, including some suspected but unannounced facilities. More worryingly, some of the mapped paths imply patrol and supply routes, knowledge security officers would prefer not to be shared with the entire world.

This is an extraordinary blunder which very succinctly illustrates a folly of Internet of Things. Strava’s anonymized data sharing obsfucated individuals, but didn’t manage to do the same for groups of individuals… like the fitness-minded active duty military personnel whose workout habits are clearly defined on these heat maps. The biggest contributor (besides wearing a tracking device in general) to this situation is that the data sharing is enabled by default and must be opted-out:

“You can opt-out of contributing your anonymized public activity data to Strava Metro and the Heatmap by unchecking the box in this section.” —Strava Blog, July 2017

We’ve seen individual fitness trackers hacked and we’ve seen people tracked through controlled domains before, but the global scope of [Nathan]’s discovery puts it in an entirely different class.

[via Washington Post]

34C3: Fitbit Sniffing and Firmware Hacking

If you walked into a gym and asked to sniff exercise equipment you would get some mighty strange looks. If you tell hackers you’ve sniffed a Fitbit, you might be asked to give a presentation. [Jiska] and [DanielAW] were not only able to sniff Bluetooth data from a run-of-the-mill Fitbit fitness tracker, they were also able to connect to the hardware with data lines using test points etched right on the board. Their Fitbit sniffing talk at 34C3 can be seen after the break. We appreciate their warning that opening a Fitbit will undoubtedly void your warranty since Fitbits don’t fare so well after the sealed case is cracked. It’s all in the name of science.

There’s some interesting background on how Fitbit generally work. For instance, the Fitbit pairs with your phone which needs to be validated with the cloud server. But once the cloud server sends back authentication credentials they will never change because they’re bound to to the device ID of the Fitbit. This process is vulnerable to replay attacks.

Data begin sent between the Fitbit and the phone can be encrypted, but there is a live mode that sends the data as plain text. The implementation seemed to be security by obscurity as a new Bluetooth handle is used for this mode. This technique prevents the need to send every encrypted packet to the server for decryption (which would be for every heartbeat packet). So far the fix for this has been the ability to disable live mode. If you have your own Fitbit to play with, sniffing live mode would be a fun place to start.

The hardware side of this hack begins by completely removing the PCB from the rubber case. The board is running an STM32 and the team wanted to get deep access by enabling GDB. Unfortunately, the debug pins were only enabled during reset and the stock firmware disables them at startup (as it should). The workaround was to rewrite the firmware so that the necessary GPIO remain active and there’s an interesting approach here. You may remember [Daniel Wegemer] from the Nexmon project that reverse engineered the Nexus 5 WiFi. He leveraged the binary patching he used on Nexmon to patch the Fitbit firmware to enable debugging support. Sneaky!

For more about 34C3 we have a cheatsheet of the first day and for more about Fitbit security, check out this WAV file.

Continue reading “34C3: Fitbit Sniffing and Firmware Hacking”

Official: Pebble Ceases Hardware Production

Today Pebble has announced that it will cease all hardware production. Their outstanding Kickstarter deliveries will not be fulfilled but refunds will be issued. Warranties on all existing hardware will no longer be honored. However, the existing smartwatch service will continue… for now.

This isn’t unexpected, we ran an article yesterday about the all-but-certain rumors FitBit had acquired Pebble (and what led to that). Today’s news has turned speculation about Pebble 2 and Pebble Core Kickstarter campaigns into reality. You won’t get your hands on that fancy new hardware, but at least backers will have the money returned.

Perhaps the most interesting part of today’s blog post from the founder of Pebble, Eric Migicovsky, is about how this impacts more than a million watches already in the wild. Service will continue but (wait for it) “Pebble functionality or service quality may be reduced in the future.”

It’s not like this is a unique problem. Devices purchased by consumers that are dependent on phoning home to a server to function is a mounting issue. Earlier this year [Elliot Williams] coined this issue “Obsolescence as a Service” which is quite fitting. Anyone who still has a functional first generation iPad has enjoyed reduced quality of service; without available upgrades, you are unable to install most apps. It’s zombie hardware; electrons still flow but there’s no brain activity.

One of the perks associated with FitBit acquiring Pebble is that they have decided to keep those servers running for watches in the field. A cynic might look at the acquisition as FitBit reducing competition in the market — they wouldn’t have let hardware production cease if they were interested in acquiring the user base. At some point, those servers will stop working and the watches won’t be so smart after all. FitBit owns the IP which means they could open source everything needed for the community to build their own server infrastructure. When service quality “reduced in the future” that’s exactly what we want to see happen.

The Demise of Pebble as a Platform

Despite owning five, including the original Pebble, I’ve always been somewhat skeptical about smart watches. Even so, the leaked news that Fitbit is buying Pebble for “a small amount” has me sort of depressed about the state of the wearables market. Because Pebble could have been a contender, although perhaps not for the reason you might guess.

Pebble is a pioneer of the wearables market, and launched its first smartwatch back in 2012, two years before the Apple Watch was announced. But after turning down an offer of $740 million by Citizen back in 2015, and despite cash injections from financing rounds and a recent $12.8 million Kickstarter, the company has struggled financially.

An offer of just $70 million earlier this year by Intel reflected Pebble’s reduced prospects, and the rumoured $30 to $40 million price being paid by Fitbit must be a disappointing outcome for a company that was riding high such a short time ago.

Continue reading “The Demise of Pebble as a Platform”

Hackaday Links: October 13, 2013

hackaday-links-chain

This week’s post on core rope ROM was pretty popular. [Joey] wrote in with a book recommendation for those that found the project interesting. Digital Apollo discusses the technology which NASA built into the guidance computer. That was also the subject of a recent Retrotechtacular.

A few members of the Vancouver Hack Space came up with their own take on the Word Clock. It uses an old monitor, a laser-cut bezel, and Javascript to light up the correct characters.

When we last looked in on [Vincent’s] plywood stool project he had branched out into plywood folding chairs as well. Here’s two updates on his progress.

This one’s just silly. To keep up with his wife on exercise goals, this guy cheated using a reciprocating saw to spoof his exercise. Tape the FitBit to the saw blade, clamp the saw to the workbench, and then let her rip! [via Reddit]

[Harrison] wrote into share the Arduino button library he developed. It is designed to allow detection of multiple types of button events without blocking other operations. He came up with the project to use with his motorcycle hacking.

It looks like [Bertho] has kitted up his Executive Decision Maker. We first saw this as a perfboard project a couple of years ago.

And finally, [Bob Alexander] makes your hard drive clock look puny. His uses the platter from a 40-year-old mainframe hard drive.

Open Activity Tracker Webcast

livedesign4

The Upverter team loves their FitBit activity tracking devices, but wanted access to raw data. They decided to build their own Open Activity Tracker that would pump data onto an SD card or to a Bluetooth device for processing.

The device uses MPU-9150 motion tracking IC to gather information on movement. This chip combines an accelerometer, gyro, and compass. It also does on-board processing, providing useful data to your host processor over I2C. The only bad news is that it’s a LGA package, which aren’t fun to solder by hand.

The design also has a SD card, Bluetooth module, pressure sensor, and e-ink display. These are all connected to a low power ARM microcontroller.

The team has been webcasting their design sessions, and tonight [Eric Evenchick] (that’s me) will be joining them as they try to cram all of these components onto a PCB. You can watch the live webcast starting at 8:30pm Eastern.

You can watch the previous design sessions after the break.

Continue reading “Open Activity Tracker Webcast”

FitBit Hack causes food to spoil if you don’t exercise

exercise-or-starve

This hack could be titled ‘Exercise or Starve’. [Charalampos] needed some motivation to become more active. There’s a device called a FitBit tracker (black and blue on the left) which records your activity and submits it to a web interface. You get daily goals and can earn badges. But those stinking badges didn’t motivate him. He decided he needed something that would really get him off of the couch. So he hacked the FitBit to cut power to his refrigerator. Not meeting his goals will eventually result in a stinky mess and no dinner.

It’s a bad idea to cut power to the icebox. But we see this merely as a proof of concept. He’s using the Belkin WeMo networked outlet. Other than some security issues we discussed on Thursday this is a very simple way to control devices from your server. [Charalampos’] implementation uses the FitBit API to check his activity and drives the outlet accordingly.