Keeping Fitbit safe from hackers and cheaters with FitLock

As if having the caloric details of your sex life posted publicly wasn’t enough, new research has exposed additional security vulnerabilities in the popular Fitbit fitness tracking devices (See disclosure). A team from Florida International University has shown that Fitbits can be subject to attacks including denial of service, injection, and data capture.

Many of these problems stem from the fact that the Fitbit uses plain HTTP in its communications, exposing usernames, passwords, and data to opportunistic attackers. A suite of tools to probe the Fitbit created by the researchers was able to capture data from any Fitbit tracker within a radius of 15 feet. Another type of attack they tested forced the Fitbit to attempt frequent data upload, draining the battery 21 times faster than with normal once a day uploading.

An additional problem the researchers identified is an absence of a data consistency check on the Fitbit and its associated online social network. For example, they were able to inject 12.6 million steps into a user account, which the system translated into only 0.02 miles traveled, based on the initial calibration to the user’s stride length. This kind of data injection could be exploited by cheats, people who don’t want to work for the badges and monetary rewards that are available to fitness over-achievers.

While such an attack on a given individual might seem far-fetched, hackers could be motivated to expose or misuse sensitive personal health data. The consequences of that exposure could be no more than embarrassment for the Fitbit’s owner, but the security and privacy ramifications could go much deeper for similarly vulnerable wireless devices used in larger settings by healthcare companies.

The researchers also highlighted a few more bizarre “mule” attacks, such as attaching the Fitbit to a spinning rope or a car wheel (you can “burn” about 350 calories in 20 minutes with the latter method).

To combat these attacks, they developed FitLock, a hacked together defense system that includes encryption. A data consistency check also verifies new uploads against stride length and basal metabolic rate so that number of steps, distance traveled, and calories burned correspond. According to the recently released research, this additional security results in a negligible increase in processing time of 37 ms, about 2.4 percent more than normal Fitbit overhead. They also propose an extra step to thwart mule attacks: using a smaller, more accurate GPS chip to tell whether location is not changing (rope attack) while steps are being taken, or when the location is changing far too much (wheel attack).

The attacks that are averted with FitLock are not unique to Fitbit or other sensing devices. Insulin pumps and cardiac defibrillators, for example, could be manipulated with the same methods, with much more dire consequences.

Disclosure: Fitbit is backed by True Ventures, a venture capital firm that is an investor in the parent company of GigaOM. Om Malik, founder of GigaOM, is also a venture partner at True.