Fitbit Aria Wi-Fi Smart Scale: Unterschied zwischen den Versionen

(add response ASCII arts, remove direction ("Fitbit.com -> Aria") because it looked ugly in the table of contents)
 
(11 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
 
{{Infobox Projekt
 
{{Infobox Projekt
|name            = Fitbit Aria Wi-Fi Smart Scale
+
|name            = Fitbit Aria Wi-Fi Scale
 
|kategorie      =  
 
|kategorie      =  
 
|status          = beta
 
|status          = beta
 
|autor          = [[Benutzer:architekt|architekt]], [[Benutzer:krisha|krisha]]
 
|autor          = [[Benutzer:architekt|architekt]], [[Benutzer:krisha|krisha]]
|beschreibung    = Fitbit WLAN Scale Reverse Engineering
+
|beschreibung    = Reverse engineering the Fitbit Aria WLAN scale protocol
 
|image          = Fitbit cat img.jpg
 
|image          = Fitbit cat img.jpg
 
|imagesize      = 280
 
|imagesize      = 280
Zeile 11: Zeile 11:
 
[[Category:Software]]
 
[[Category:Software]]
  
== description==
+
== Description ==
=== the scale ===
+
=== The Scale ===
The scale offered by fitbit.com measures weight and body fat. The data is then submitted to their website and can be further analysed. It is possible to use one scale for multiple users including different accounts on fitbit.com website. The scale identifies the users by their weight and maybe by their body fat.
+
The scale offered by [http://fitbit.com Fitbit] measures weight and body fat. The data is then submitted to their website and can be further analysed. It is possible to use one scale for multiple users including different accounts on Fitbit's website. The scale identifies the users by their weight and maybe their body fat.
  
===the master plan===
+
=== The Master Plan ===
We want to create an own service to analyse the data in our own way. With that we're able to bypass limits and to extend the functionality. We are maybe able to allow more users and are able to identify the users in a better way. Additionally the data is not transmitted any more unencrypted to a public website (fitbit.com is password protected). One main interest is also the reversing of the protocol and maybe more...
+
We want to create our own service to analyse the data ourselves. With that we're able to bypass existing limits and to extend the functionality. We may be able to allow more users and to identify the users in a better way. Additionally the data is not send to a public website vie unencrypted transmission anymore. One main interest is also the reverse-engineering of the protocol and maybe more...
  
== analysis ==
+
== Analysis ==
=== request ===
+
=== Request ===
* The data is transmitted with HTTP POST to http://www.fitbit.com/scale/upload
+
* The data is transmitted with HTTP POST to http://www.fitbit.com/scale/upload.
* Usually it consists of 62 bytes of binary data in little endian format
+
* It usually consists of 62 bytes of binary data in little endian format.
** In case there is no connection, the data is stored inside the scale and transmitted in a bulk when it is used next time
+
** In case there is no connection, the data is stored inside the scale and transmitted later.
  0               4                  8             0xC
+
  0                   4                  8                   C
  +---+---+---+---+---+---+---+---+   +---+---+---+---+---+---+---+---+  
+
  +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
  |   Ident 1   |   ??? (1)    |   |          MAC         | ???  >
+
  |     Ident 1     |       Battery    |     MAC Address of scale    | Firmware>
  | 02  00  00  00| 5C  00 00  00|   | 00  1D C9 XX XX XX| 1C 00>
+
  |     fixed (2)    |    in percent    | 00  1D   C9   XX   XX   XX |  e.g.  >
  +---+---+---+---+---+---+---+---+   +---+---+---+---+---+---+---+---+
+
  +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
  > (2)  |   ??? (3)    |   Timestamp 2    |   ??? (4)    | Ident >
+
  > version |     unknown      |     Timestamp     | Number of measure-| Ident   >
  > 00  00| 21  00  00  00| 30  4D      90  50| 01  00 00  00| 02  00>
+
  >   28    |     fixed (33)    |     Sync; Unix    |   ments (here 1) | fixed  >
  +---+---+---+---+---+---+---+---+   +---+---+---+---+---+---+---+---+
+
  +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
  >  2    |   ??? (5)    |    Weight in g   |  Timestamp 1 | User  >
+
  >         |  Elec. impedance |   Weight in g     |  Timestamp Meas- |   User  >
  > 00 00| 00  00  00  00| 06  FE      00  00| 1C 4D 90  50| 00  00>
+
  >  (2)    |  0 for guests    |                   |   urement; Unix  0 for >
  +---+---+---+---+---+---+---+---+   +---+---+---+---+---+---+---+---+
+
  +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
  >  ID   Body fat 1   |    Body fat 2    | Body fat 3  |       
+
  >  ID     Displayed body   |    Covariance    |    Body fat 2    |
  > 00 00| 00  00  00  00| 00  00     00  00| 00  00  00  00|      
+
  > guests |   fat, per mil    |     as float     |                   |
  +---+---+---+---+---+---+---+---+   +---+---+---+---+---+---+
+
  +----+----+----+----+----+----+----+----+----+----+----+----+----+----+
  
==== explanation ====
 
* Ident 1: Seems to be always 2
 
* (1): Values: 0x5C, 0x5B, 0x4F, might be indication for errornous syncs
 
* (2): Values: 0x1C, 0x1D
 
* (3): Unknown, might saw 0x11 and 0x21
 
* Timestamp 2: Measurement end in unix time
 
* (4): Unknown (fixed?)
 
* Ident 2: Unknown (fixed?)
 
* (5): Values 0x00, 0x66
 
* Weight in g: self-explanatory
 
* Timestamp 1: Measurement start in unix time
 
* User ID: 0x00 for guest, values for registered users: 0x0011yyyy
 
* Body fat 1: Displayed body fat in per mil
 
* Body fat 2: Maybe physical measurement value (resistance, electrical impedance). For registered users this has always a value.  For guests this is 0x0.
 
* Body fat 3: Value similiar to Body fat 1
 
  
=== response ===
+
* For guests ''users id'', ''displayed body fat'', ''covariance'' and ''body fat 2'' are set to 0.
==== header ====
+
* The covariance is also displayed inside the HTML code if you login to your account.
0               4                  8
 
+---+---+---+---+---+---+---+---+  +---+---+
 
|  Timestamp    |  ???  |  Number of users  |
 
|              |      |                  |
 
+---+---+---+---+---+---+---+---+  +---+---+
 
  
==== user data ====
+
=== Response ===
  0               4                  8               12
+
==== Header ====                                                                            
  +---+---+---+---+---+---+---+---+  +---+---+---+---+---+---+---+---+
+
                                                                                             
|    User Id    |                    Always zero                    >
+
  0                   4                  8                                                  
| XX  XX  YY  YY|                                                  >
+
  +----+----+----+----+----+----+----+----+----+----+                                        
+---+---+---+---+---+---+---+---+  +---+---+---+---+---+---+---+---+
+
  |     Timestamp    |Unit|StatNumber of users |                                        
>              | Name of user (only first three bytes used, rest  >
+
  |                   |    | us |                   |                                         
>              |                                                  >
+
  +----+----+----+----+----+----+----+----+----+----+
+---+---+---+---+---+---+---+---+  +---+---+---+---+---+---+---+---+
 
  > is filled with spaces)        |   |     ???      |     ???      |
 
  >                              |  |    58950      |              |
 
+---+---+---+---+---+---+---+---+  +---+---+---+---+---+---+---+---+
 
| Age in years  |Sex|      Height in -  |  Weight in g | Body Fat >
 
  |               |  |   millimeters   |               |           >
 
  +---+---+---+---+---+---+---+---+  +---+---+---+---+---+---+---+---+
 
>  |      ???      | ??|  Some weight  |  Timestamp    |
 
>  |1040128544 or 0|  |              |              |
 
+---+---+---+---+---+---+---+---+  +---+---+---+---+---+
 
  
==== padding ====
+
==== User Data ====
  0               4              8
+
  0                   4                   8                  C
  +---+---+---+---+---+---+---+---+
+
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
  |           Padding            |
+
|      User ID      |                    Always zero                          >
  |                               |
+
|                  |                  (maybe reserved)                        >
  +---+---+---+---+---+---+---+---+
+
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
 +
>                  |          Name of user, only first three bytes used, rest  >
 +
>                  |                                                          >
 +
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
 +
>  is filled with spaces               |    Tolerance min  |  Tolerance max  |
 +
>                                      |                  |                  |
 +
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
 +
|  Age in years    |Gen |    Height in    |    Some weight    |    Body Fat  >
 +
|                  |der |    millimeters    |      or 0        |              >
 +
  +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
 +
>    |  Covariance (?) |     Some other    |    Timestamp    |
 +
  >    |  1040128544 or 0  |      weight      |                   |
 +
  +----+----+----+----+----+----+----+----+----+----+----+----+----+
  
==== explanation ====
+
==== Padding ====
== own tools ==
+
0                  4                  8
 +
+----+----+----+----+----+----+----+----+
 +
|        Padding, always zero          |
 +
|                                      |
 +
+----+----+----+----+----+----+----+----+
 +
 
 +
==== Explanation ====
 +
* Unit: 00 Pound, 01 Stone, 02 Kilo
 +
* Status: 0x32 configured, 0x64 unconfigured, no users (yet)
 +
* Tolerance max/min: last weight +/- 4kg (in our tests); used by scale to recognize users
 +
* Gender: 02 male, 00 female
 +
 
 +
== Own tools ==
 
/* to be crafted */
 
/* to be crafted */
  
 
== attacks ==
 
== attacks ==
===gather information===
+
During our analysis we found some vulnerabilities. We contacted fitbit via mail, twitter and phone, but we never got an acknowledgement nor an answer - even after calling the german represantive of fitbit, who forwarded our research to the management. Since some time past since that and hopefully they fixed the issues here are our theoretical attacks.
/* MAC - what is it, what's the idea to use it */
+
 
First results showed that... /* continue with dumping DB */. This is a base attack used later again.
+
=== fatify local target ===
===fatify local target===
+
 
Das geht relativ einfach: Mit tcpdump oder Wireshark die Daten eines Ziels nach der Messung mitschneiden. Da meistens WPA im WLAN zum Einsatz kommt, empfiehlt es sich hier am Router oder danach die Daten mitzusniffen. Anschließend einfach den Request klonen und ein eigenes Gewicht oder Körperfett einsetzen. Es kann sein, dass fitbit die Anzahl der Messungen beschränkt und das Gewicht der Person in einem gewissen Limit (Durschschnitt) liegen muss.
+
It's quite easy to change the values of a local user. If you have access to the local network you can sniff the packets send to the fitbit servers (tcpdump, ethereal). As soon as you have the sniffed data, you can just resent the packet with custom weight and fat measurements. It might be that fitibit limits the number of measures and that the weight of a target needs to be within some limits/average values (e.g. no one will increase weight by 5kg in some hours only).
===fatify the world===
+
 
In der Theorie ist es möglich alle fitbit User etwas schwerer zu machen. Die Waage authentifiziert sich mit der MAC Adresse, zusätzlich gibt es eine xx Bit Userkennung. Die MAC Adresse (Herstellerkennung + Wert) kann man per Brute-Force testen, die Benutzerkennung macht den Aufwand aufgrund der vielen Bits aber sehr langwierig. Da der fitbit Server allerdings auch auf Gäste antwortet und zwar mit der kompletten Userliste inkl. der Benutzerkennung, kann man einfach einen Request als Gast (Wert 0) absetzen. Als Antwort schickt der Server die Kennungen zurück und man kann sich seine eigenen Requests zusammensetzen - für alle fitbit User weltweit ;-)
+
=== fatify the world ===
 +
 
 +
We did not test it, but probably it's possible to increase the weight for all fitbit users worldwide. The scale authenticates with the server using the MAC (which just increments). Additionally there is a user ID with some bits. These can be tested by bruteforce but might take some time. The fitbit server also replies to guests (value 0) and gives out the complete userlist with the user ID in response. If you now take the user ID and create custom requests you should be able to submit new weights for all fitbit users - worldwide :)

Aktuelle Version vom 15. März 2014, 02:55 Uhr

Crystal Clear action run.png
Fitbit Aria Wi-Fi Scale

Status: beta

Fitbit cat img.jpg
Beschreibung Reverse engineering the Fitbit Aria WLAN scale protocol
Autor: architekt, krisha
PayPal Spenden für Fitbit Aria Wi-Fi Smart Scale

Description

The Scale

The scale offered by Fitbit measures weight and body fat. The data is then submitted to their website and can be further analysed. It is possible to use one scale for multiple users including different accounts on Fitbit's website. The scale identifies the users by their weight and maybe their body fat.

The Master Plan

We want to create our own service to analyse the data ourselves. With that we're able to bypass existing limits and to extend the functionality. We may be able to allow more users and to identify the users in a better way. Additionally the data is not send to a public website vie unencrypted transmission anymore. One main interest is also the reverse-engineering of the protocol and maybe more...

Analysis

Request

  • The data is transmitted with HTTP POST to http://www.fitbit.com/scale/upload.
  • It usually consists of 62 bytes of binary data in little endian format.
    • In case there is no connection, the data is stored inside the scale and transmitted later.
0                   4                   8                   C
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
|      Ident 1      |       Battery     |     MAC Address of scale    | Firmware>
|     fixed (2)     |     in percent    | 00   1D   C9   XX   XX   XX |  e.g.   >
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
> version |      unknown      |     Timestamp     | Number of measure-| Ident   >
>   28    |     fixed (33)    |     Sync; Unix    |   ments (here 1)  | fixed   >
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
>         |  Elec. impedance  |   Weight in g     |  Timestamp Meas-  |   User  >
>  (2)    |   0 for guests    |                   |   urement; Unix   |  0 for  >
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
>  ID     |  Displayed body   |    Covariance     |    Body fat 2     |
> guests  |   fat, per mil    |     as float      |                   |
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+


  • For guests users id, displayed body fat, covariance and body fat 2 are set to 0.
  • The covariance is also displayed inside the HTML code if you login to your account.

Response

Header

0                   4                   8                                                    
+----+----+----+----+----+----+----+----+----+----+                                          
|     Timestamp     |Unit|Stat|  Number of users  |                                          
|                   |    | us |                   |                                          
+----+----+----+----+----+----+----+----+----+----+

User Data

0                   4                   8                   C
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
|      User ID      |                     Always zero                           > 
|                   |                  (maybe reserved)                         >
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
>                   |          Name of user, only first three bytes used, rest  >
>                   |                                                           >
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
>   is filled with spaces               |    Tolerance min  |   Tolerance max   |
>                                       |                   |                   |
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
|   Age in years    |Gen |     Height in     |    Some weight    |    Body Fat  >
|                   |der |    millimeters    |       or 0        |              >
+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
>    |   Covariance (?)  |     Some other    |     Timestamp     |
>    |  1040128544 or 0  |       weight      |                   |
+----+----+----+----+----+----+----+----+----+----+----+----+----+

Padding

0                   4                   8
+----+----+----+----+----+----+----+----+
|         Padding, always zero          |
|                                       |
+----+----+----+----+----+----+----+----+

Explanation

  • Unit: 00 Pound, 01 Stone, 02 Kilo
  • Status: 0x32 configured, 0x64 unconfigured, no users (yet)
  • Tolerance max/min: last weight +/- 4kg (in our tests); used by scale to recognize users
  • Gender: 02 male, 00 female

Own tools

/* to be crafted */

attacks

During our analysis we found some vulnerabilities. We contacted fitbit via mail, twitter and phone, but we never got an acknowledgement nor an answer - even after calling the german represantive of fitbit, who forwarded our research to the management. Since some time past since that and hopefully they fixed the issues here are our theoretical attacks.

fatify local target

It's quite easy to change the values of a local user. If you have access to the local network you can sniff the packets send to the fitbit servers (tcpdump, ethereal). As soon as you have the sniffed data, you can just resent the packet with custom weight and fat measurements. It might be that fitibit limits the number of measures and that the weight of a target needs to be within some limits/average values (e.g. no one will increase weight by 5kg in some hours only).

fatify the world

We did not test it, but probably it's possible to increase the weight for all fitbit users worldwide. The scale authenticates with the server using the MAC (which just increments). Additionally there is a user ID with some bits. These can be tested by bruteforce but might take some time. The fitbit server also replies to guests (value 0) and gives out the complete userlist with the user ID in response. If you now take the user ID and create custom requests you should be able to submit new weights for all fitbit users - worldwide :)