Blog: How Tos

Extracting your WPA PSK from bathroom scales

Ken Munro 08 Jun 2015

scales

Following our tongue-in-cheek hack demo of the Fitbit Aria scales at the Infosecurity Show, here’s a quick how-to and explanation.

We were trying to upload new firmware to the scales, so that when we stepped on them, instead of reading ‘Hi :-)’ …

… it would read ‘Hi Fatty’ from which you can see our warped sense of humour.

We also tried to modify them to act as a network implant on the victim’s network, connecting out to us at our request.

But Fitbit have done a good job of protecting their firmware update process. In the rush to get the demo ready for Infosec, we ran out of time.

We haven’t finished work on this, but now that Fitbit have responded to our attempt to disclose privately some weeks before the show, we will be giving all new findings to them first.

Our work on pulling data from the UART port, flash memory and possibly JTAG is ongoing, but work to date is referenced here and here.

Anyway, how did we get the scales to disclose their PSK? It’s really quite easy

Take the battery out or hit the reset button. Wait 10 secs, re-insert batteries.

Connect to the access point that it creates, usually called ‘Aria XXXXX’ or similar, where XXXXX refers to a value unique to the scales.

Then browse to http://1.scale.www.fitbit.com/scale/error_list.js

And there, in plain text is the WPA PSK

scales-psk

Security issues

Obviously this is a local attack. You have to be in your victim’s bathroom to grab their scales!

However, we’ve found several used scales on eBay. Given you’re likely to know the location (or maybe exact address from the delivery note) of the seller then you can buy their scales & go take over their wireless network.

If their Wi-Fi router admin password is default or weak, you’ve got the ability to modify their DNS or MITM their traffic.

Fixing this

Fitbit are working on a fix already. Once the reset button is pressed, the stored PSK and SSID should be wiped.

Similarly, if the batteries are removed, the cached key should be wiped too.

This is a bit of a pain if you’re genuinely just changing the batteries, so maybe the scales should wait for more than 10 seconds before entering setup mode?

So, update your firmware as soon as Fitbit release it.

In the meantime, don’t sell your used scales on eBay or elsewhere. If you find your scales are in setup mode, maybe question anyone that has been to your bathroom :-)

There is of course a broader point here about the Internet of Things.

Think carefully about what you put on your network and what you do with these devices once you’re finished with them.