PowerPoint Presentation

Fitbit- Activity Monitoring, APIs development, Data Analytics and Network security

Avik Das, University of Connecticut, USA Hongxuwang, Jingyuanchou, University of Connecticut, USAYupengluo, University of Connecticut, USAMohammad Valizadeh, University of Connecticut, USA

Titles and Contents

Project ContentsFitBit Network APIs- Oauth protocol and Data Accuracy Fitbit Data AnalyticsFitbit network security and protocols

ChallengesFuture workReferences

FitBit Network APIs- Oauth protocol and Data Accuracy:

Oauth Protocol Introduction: Accessing Fitbit data from OAuth protocol & Data Accuracy

Authors- Yupeng Luo Jingyuan Chou Hongxu Wang

Oauth Protocol IntroductionOauth is a protocol that allow users to share private tokens, instead of passwords, that grant access to a specific service (e.g.Fitbit) for a specific resource(e.g. just step counts and hours slept) and for a defined duration (e.g. six months).

Fitbit provides a public API that allows us to gather the users data from their sensors . These APIs required permission to access data which was obtained with user permission via Oauth on an account setup website that we created.Now, we proceed to Authorization, which is very important in Oauth.

4

Obtaining ConsentFitbit supports theAuthorization Code GrantandImplicit Grantflows as defined inRFC 6749.(This is The OAuth 2.0 Authorization Framework)The Authorization Code Grant flow is recommended for applications that have a web service. This flow requires server-to-server communication using an application's client secret.

Authorization Code Grant FlowThe authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owners user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server

1.Application redirects the user to Fitbits authorization page.2.Fitbit redirects the user back to the client apps callback URL with authorization code.3.The client app exchange authorization code for an access token and refresh token.4.application stores the access token and refresh token. It will use the access token to make requests to the Fitbit API. It will use the refresh token to obtain a new access token when the access token expires without having to re-prompt the user.

Implicit Grant Flow

The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript.the client receives the access token as the result of the authorization request. The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI.

Implicit Grant Flow Example

1.Client App redirects user to the Fitbit Authentication Page.

2.Fitbit redirects the user back to the client apps callback URL with an access token as a URL fragment.

3.The client app stores the access token. It uses the access token to make request to Fitbit API.

Difference Between ACGF and IGFUnlike the Authorization Code Grant flow, the refresh tokens are not issued with the Implicit Grant flow. Refreshing a token requires use of the client secret, which cannot safely be stored in distributed application code. When the access token expires, users will need to re-authorize your app.

Access tokens from the Implicit Grant flow are longer lived than tokens from the Authorization Code Grant flow. Users may specify the lifetime of the access token from the authorization page when an application uses the Implicit Grant flow. The access token lifetime options are 1 day, 1 week, and 30 days. Applications can pre-select a token lifetime option, but the user ultimately decides.

Access tokens from the Implicit Grant flow are longer lived than tokens from the Authorization Code Grant flow. Users may specify the lifetime of the access token from the authorization page when an application uses the Implicit Grant flow. The access token lifetime options are 1 day, 1 week, and 30 days. Applications can pre-select a token lifetime option, but the user ultimately decides.10

ScopeApplications must only request permission for resources they intend to access or modify. OAuth 2.0 refers to these permissions as scopes. All Fitbit API endpoints require one or more scopes, which are listed in each endpoint's documentation.Applications must specify a list of scopes when redirecting the user to the authorization page. The access token issued will only contain the scopes the application requested.Below, we will introduce the scope parameters.

11

Scope Diameters

Accessing Fitbit data from OAuth protocol based APIStep1: finding a fitbit API that authorize users with access to fitbit dataStep2: add our own functions in javascript at google spreadsheetStep3: coding and testingStep4: visualize the data

How setup function works

Setup function in JavascriptApplication shown in spreadsheet

Get authorization from API & googleChoose the authorize function and hit runWhen you see the content on the right, grant your permission by clicking the allowAfter the account permission close, you successfully connect your google account with fitbit and API

Download data using APIWhy do we get the data using our own script?All the data will be downloaded automatically without any limitGoogle has a lot of gadgets and chart to help you visualize the data We can get another series of data by changing the value of the refreshTimeSeries function, and different category of data in GetActivity function

Data accuracy & comparison with iPhone HealthDateiPhone health data(steps)Fitbit Data(steps)Discrepancy(steps)Oct 64551453813Oct 7201420077Oct 8702370149Oct 9460346096Oct 105473546310Oct 11720572014Oct 124035400629Oct 136298631719Oct 14530052991Oct 158720866159

Data visualization in chart

Observations of comparisonWe did not take our iPhone and Fitbit with us 24/7, which may be one of the reason for discrepancyThe more steps taken, the more discrepancy appearsThe discrepancy is always below 1% from the data, which is trivial and acceptable in analyzing our fitness

ReferencesMobile Health Mashups: Making sense of multiple streams of wellbeing and contextual data for presentation on a mobile device, Konrad Tollmar, Frank Bentley, Cristobal Viedma, Department for Communication Systems, Royal Institute of Technology, Stockholm, Sweden.Acquiring Evaluation Data of Health Habits and Its Application- Xingquan Cai, Qianqian Shi and Lina Duan . Year- Aug 2013. Venue- College of Information Engineering, North China University of Technology, Beijing 100144, China.

FitBit Data Analysis

Predictive analysis (Depressed vs Non-Depressed)

SVM and Bayes algorithm for Predictive Analysis

Logistic Regression Analysis for (Depressed vs Non-Depressed)

FitBit Vs treadmill data collection

Linear Regression for FitBit vs Treadmill data relationship

Author- Avik Das

Predictive analyticsObjective: To develop a predictive algorithm based on the data collected from Fitbit to see if a person is depressed or not

Algorithm used: Supervised Machine learning and Bayes classification

Input Attributes: Date, Calories Burnt, Steps, Distance, Floors, Minutes Sedentary, Minutes Lightly Active, Minutes Fairly Active, Minutes Very Active, Activity Calories.

Output predicted: `Depressed (1) vs Non-Depressed State (1) (# of labels)

Data collection: Using an existing Fitbit API from Fitbit Dashboard

Assumptions: We will have the user data of depressed vs non-depressed for each date.

Input Attributes AttributesDescriptionDateThe date on which data is collected in MM/DD/CCYY (e.g. 11/29/2015)Calories burntThe cumulative calories burnt for a particular day (e.g. 393 cal)Steps The total number or steps taken by a person in a particular day (e.g. 190 steps)DistanceThe total distance covered by a person in a particular day in miles (e.g. 1.78 miles)Minutes AsleepThe duration during which the person was asleep in minutes (e.g. 299 Minutes)Minutes AwakeThe duration during which the person was awake in minutes (e.g. 299 Minutes)Number of AwakeningsThe number of times the person was awake in during the sleep duration (e.g. 11)Activity CaloriesThe number of active calories burnt for a particular day (e.g. 450 cal)

Overview of the prediction process

SVMBayes classification

Supervised Machine learningSVM (Supervise machine learning)- The Aim of SVM is to build a model that makes prediction based on evidence in the presence of uncertainty. As adaptive algorithms identify patterns in data, a computer "learns" from the observations. When exposed to more observations, the computer improves its predictive performance.

Steps taken:Data was collected using Fitbit API for all the dates in a .CSV fileA label (Depressed (1) vs non-Depressed) was assigned to all the records in the dataset. This data was converted into binary format.This data was divided into parts training and testing.The training dataset was used to create a model.The model predicted the labels of the testing dataThe labels were compared to the ground truth labels which were assigned in part b)Based on how many labels matched the accuracy was calculated.

Supervised machine learning Output

Python code snippetPython code

Bayes classification

Bayes theorem- In probability theory, Bayes theorem shows the relation between a conditional probability and its reverse form. For example the probability of a hypothesis given some observed pieces of evidence and the probability of that evidence given that hypothesisBayes classification: Based on Bayes theorem, Naive Bayes classifier assume that the effect of the value of a predictor (x) on a given class (c) is independent of the values of other predictors. This assumption is called class conditional independence.Mathematical interpretation

Minutes sedentary- 60Calories Burnt- 798Steps climbed 90Minutes active- 10

What is the probability that Alice is depressed given the input factors?

Bayes classification Steps taken:Data was collected using Fitbit API for all the dates in a .CSV fileA label (Depressed (1) vs non-Depressed) was assigned to all the records in the dataset. (Manual labelling)This data was converted into binary format.This data was divided into parts training and testing.The training dataset was used to create a model.The model predicted the labels of the testing dataThe labels were compared to the ground truth labels which were assigned in part b)Based on how many labels matched the accuracy was calculated.

Python code snippet

Accuracy %ageOutput

Logistic RegressionObjective- To segregate the factors which negatively/positively impact the stress levelOutput: Nominal Output (Depressed (1) vs Non- Depressed (0))Input continuous variables: Date, Calories Burned, Steps, Distance, Floors, Minutes Sedentary, Minutes Lightly Active, Minutes Fairly Active, Minutes Very Active, Activity Calories, Minutes Asleep, Minutes Awake, Number of AwakeningsIgnored variables- Date- By institution, the date attribute would not have any impact on the stress level as the person can be Depressed irrespective of any date.

Factors Logistic regressionFactors that impact the stress levelProbability that a person is Depressed (1) P[1]: 1 + (1 + Exp(Lin)) Where Lin is the formulae describe belowProbability that a person is not Depressed (0) P[0]: 1 + (1 + Exp(-Lin)) Where Lin is the formulae describe belowSo with lesser value of Lin, more would be the increase in probability of the person being Depressed

Lin-JMP output

Positive Intercept (-ve impact on Stress- decreasing Stress level)

Calories burntDistance coveredFloors climbedMinutes Lightly activeMinutes Fairly activeMinutes very Active

Negative Intercept (+ve impact on Stress- Increasing Stress level)

Minutes SedentarySteps Climbed

Treadmill vs Fitbit data Constant Inclination

Speed(miles/hr)CaloriesDistance (miles)Inclination (%age)2.2180.060.52.6120.080.51.8160.060.53190.090.53.4250.110.54.2110.130.54.9240.130.5

Speed (miles/hr)CaloriesDistance (miles)Inclination (%age)2.260.060.52.670.070.51.850.050.5380.090.53.480.090.54.290.110.54.9170.120.5

Fitbit Data- Duration 1 minTread mil Data Duration 1 min

Relation between Fitbit vs Treadmill data

Linear Regression Formulae (Fitbit Calc =) using JMP

Fitbit Calories (142.72*Treadmill Distance) + (1.0198 * Treadmill Calories)

Treadmill vs Fitbit data Constant SpeedSpeed(miles/hr)CaloriesDistance (miles)Inclination (%age)2.8150.080.52.8200.0912.8150.0702.8130.081.52.8170.0822.8170.082.52.8170.083

Speed (miles/hr)CaloriesDistance (miles)Inclination (%age)2.870.070.52.890.0912.870.0702.880.071.52.880.0722.890.082.52.8100.083

Fitbit Data- Duration 1 minTread mil Data Duration 1 min

Relation between Fitbit vs Treadmill data

Fitbit Calories (-3.98*Treadmill Calories) + (428.8104 * Treadmill Distance)

ChallengesManual data collection for Fitbit vs Treadmill dataData needs to be collected on a larger scale and labeling the stress level for any individual at a given dayFitbit gives some of the attribute data minute by minute for some attributes like times during which a person was asleep/awake- The same needed to be accumulated in total for a single dayUnderstanding SVM and Bayes classification algorithmUnderstanding how you can run liner and logistic regression using JMP tool in SAS.

Final project report and Future workFinal project reportPredictive analysis to be done on more data for the final report To try to bring a relation between the predicted output vs Minutes Asleep, Minutes Awake, Number of AwakeningsLiterature analysis between Fitbit and Other health apps like MyFitness Pal and Nike +

Future WorkEvolving model When you try to fit a model with new data, the older data gets deleted. As a part of the future work, the new data along with the old data would be retained and the model would be run thenOther attributes like food data and exercises data would be logged in as well along with the current attributes for running SVM and Bayes classifciation

ReferencesAcquiring Evaluation Data of Health Habits and Its Application- Xingquan Caia, Qianqian Shi and Lina Duan . Year- Aug 2013. Venue- College of Information Engineering, North China University of Technology, Beijing 100144, ChinaValidation of the Fitbit One activity monitor device during treadmill walking Validation of the Fitbit One activity monitor device during treadmill walking- Judit Takacs, Courtney L. Pollock, Jerrad R. Guenther, Mohammadreza Bahar, Christopher Napier, Michael A. Hunt Year October 2013. Venue- Department of Physical Therapy, University of British Columbia, Canada.Fit and Vulnerable: Attacks and Defenses for a Health monitoring device- Mahmudur Rehman, Bogdan Carbunar and Madhusudan Bamik. Venue April 2013. Venue- School of Computing and Information Sciences, Florida International University, Miami, Florida 33199

Fitbit SecurityMohammad Hadi ValizadehComputer Science and EngineeringUniversity of Connecticut

Fitbit =

Entry Level uControllersULP Radio ChipsSensorsCoin cell battery

The Fitbit systems components:

Tracker to Base Communications:ANT+ & Bluetooth Low Energy(LE)ANT+ & BLE are good for Networks with:Short rangeLow powerLow maintenance

Both standards Emphasize on:Battery powerBattery LifeLow maintenance

The Challenge:

Why security is important in Fitbit?While popular and useful in its encouragement of healthylifestyles, the combination of health sensors and social networks makes social sensor networks the source of significantprivacy and security issues.

Fitbit Data is valuable:Coinwalk!Health insurance discountFree financial rewardsFree badges

Where does security vulnerabilities come from?Wireless nature of tracker communications (ANT/Bluetooth)Ubertooth module: An open source project for Bluetooth traffic sniffingBT sniffing tools are still substandardMakes it harder for hackers to develop exploitsMakes It more difficult for security researchers to realistically evaluate BT security

Poor Security PracticesStandard Social networking problemsInfiltration AttacksPrivate data leakage

What type of Security processes we need for wearable devices?Authorization: User inputs Pin(at least for the 1st time)Pairing: BTLE & ANT+ have three pairing modes:Open pairing: Vulnerable to MITM attacks(except when theinitial pairing is done in a place where snooping is highly unlikely)!Pass key passing: It requires the two (or more) devices to confirm that they have the same pass key.Out-of-band pairing: employs the use of other frequencies and other wireless technologies to participate in the pairing process. (Like NFC)Authentication(Verify link key): Identify verification of communicating devices based on device IDDuring the initialization stage, the two devices also agree upon a secret link key, derived from the PIN, and it is stored between sessions. The authentication procedure, then, gives one device an opportunityto verify its knowledge of the secret key, and thus its identity

Confidentiality: E0 Stream Cipher or a 128-bit AES encryption

Fitbit Communication Protocol:

Authentication and Confidentiality through BT:Authentication via verifying the link key

Confidentiality via stream cipher encryption

Observations:Cleartext login information: During the initial user login via the Fitbit client software, user passwords are passed to the website in cleartext (as part of POST data) and then stored in the log files. Cleartext HTTP Data processing: When syncing data to the website, no data protection/authentication is used all requests are sent over plain HTTP. Capturing tracker data and injecting data into trackers and social network accounts becomes thuspossible.Fitbit responds to broadcast from any Bluetooth device in rangePrivacy Awareness of BTLE : Allows to frequently changing the private addresses of devices in order to avoid tracking Observations depict that this does not happen in Fitbit!This could lead to potential breaches of privacy:3rd parties can track activities of specific usersFitbit application Reports private addresses of nearby devices to the server!Since addresses are fixed, it could mean Fitbit is able to construct a profile on each users surrounding and activity patterns

Adversary Model:External Attackers: External attackers attempt to learn and modifythe fitness information reported by the trackers of other users,as well as disrupt the Fitbit protocol.

Insiders: Insiders own Fitbit trackers and may attempt to report fitness values that do not reflect their effort, e.g., inflate reports or replay old values.

Attacks:External:Tracker Private Data Capture (TPDC): FitBite uses the TM module to discover any tracker device within a radius of 15ft and capture the fitness information stored on the tracker. This attack can be launched in public spaces, particularly those frequented by Fitbit users (e.g., parks, sports venues, etc).Tracker Injection (TI) Attack: FitBite uses the TM module along with knowledge of the data and memory bank formats and required opcode instructions to modify any of the realtime fitness data stored on neighboring trackers. FitBite allows the attacker to choose the data to be modified. It then reads the data from the storing memory bank and modifies the target bytes while keeping the remaining locations unmodified. The TM can act however modify simultaneously multiple fitness records (memory banks).

User Account Injection (UAI) Attack: Fitbit allows a tracker to report its data to the users social network account through any USB base in its vicinity (15 ft. radius).

Battery Drain Attack: FitBite allows the attacker to continuously query trackers in her vicinity, thus drain their batteries at a faster rate.

DOS : FitBites injection attack can be used to prevent users from correctly updating their real-time statistics. A tracker can display up to 6 digit values. Thus, when the injected value exceeds 6 digits, the least significant digits can not be displayed on the tracker. This prevents the user fromkeeping track of her daily performance evolution.

Insider:Tracker Injection (TI) AttackMule Attack: Besides attacks exploiting Fitbits unprotected wireless communications, adversaries may also launch physical, mule attacks, by attaching trackers to various movingobjects. This enables the adversary to increase fitness parameters with significantly less effort than walking.

Attack examples.

The Big Bang Theory of Fitbit!

How to prevent attacks(Proposals): For external adversary:Fitlock! (For previous versions of Fitbit)http://users.cis.fiu.edu/~mrahm004/fitlock/Obfuscation of the encryption key used in BTLE key exchange schemeEnabling Privacy awareness feature of BTLE in FitbitA more short range communication:The short range transmission of data typical of low- and ultra low power(ULP) wireless applications is of little interest to most hackersWhat about NFC?For insider adversary:Data verification: GPS, Heart rate, Blood pressure, etc. sensors E.g. the AD8232 AFE which comes in a 4 4 mm sized package). The HRM device measures cardiovascular electrical signals from the heart and the tracker only records the users activity if it gets such signals from the user. It ensures that the user is actually wearing the tracker, thus trivially preventing rope or wheel attacks.If (D_hr & D_c & D_bp & Dgps & D_tem ) True:Report/Send the data

Proposals cont.Fitlock for older versions of FitbitNFC is indeed possible!first NFC keyboard for Android devices,Elecom's TK-FNS040

NFC vs. Bluetooth

Conclusions:The security afforded by using aproprietary protocol unique to asingle vendor is usually sufficientBoth BLE and ANT+ seems to be kind of o.k. from Security point of viewANT+ solution focuseson being certain that all dataexchange takes place betweenlegitimate devices throughauthentication proceduresANT-FS (file share), an extension tothe ANT RF software protocolthat implements a session-based mechanism for securely uploading and downloading data.

Maybe just a few modifications

Our results show that while the Fitbit security setup generally appears to be sound, there is room for further exploration and analysis!Applying NFC to wearable devices can be a real breakthrough!