Attacks on Fitness Trackers Revisited: A Case-Study of Unfit Firmware Security
This exposes security vulnerabilities affecting users, courts, and insurance companies who rely on authentic fitness data.
The researchers identified a firmware verification flaw in Withings' Activité fitness tracker that allows adversaries to compromise the device itself, demonstrating this attack type for the first time on fitness trackers.
Fitness trackers - wearables that continuously record a wearer's step count and related activity data - are quickly gaining in popularity. Apart from being useful for individuals seeking a more healthy lifestyle, their data is also being used in court and by insurance companies to adjust premiums. For these use cases, it is essential to ensure authenticity and integrity of data. Here we demonstrate a flaw in the way firmware for Withings' Activité is verified, allowing an adversary to compromise the tracker itself. This type of attack has so far not been applied to fitness trackers. Vendors have started mitigating previous attacks, which manipulated data by interfering with wireless channels, or by physically moving the tracker to fool sensors. Hardware similarities amongst different trackers suggest findings can be transferred to other tracker as well.