Hossein Fereidooni

Postdoctoral Researcher

Mornewegstraße 30
D-64293 Darmstadt

Building: S4|14





Since 2017

Postdoctoral Researcher

at CYSEC and Technische Universität DarmstadtGermany


Ph.D. Computer Science

at University of Padua, Italy


Visiting Ph.D. Student

at CYSEC and Technische Universität DarmstadtGermany


M.Sc. Electrical Engineering

at The Amirkabir University of Technology, Tehran, Iran


B.Sc. Biomedical Engineering

at The Amirkabir University of Technology, Tehran, Iran



  • Research Grants for Doctoral Candidates and Young Academics and Scientists, funded by the German Academic Exchange Service (DAAD) from October 2016 to June 2017.




Breaking Fitness Records without Moving: Reverse Engineering and Spoofing Fitbit

Author Hossein Fereidooni, Jiska Classen, Tom Spink, Paul Patras, Markus Miettinen, Ahmad-Reza Sadeghi, Matthias Hollick, Mauro Conti
Date September 2017
Kind Inproceedings
Book titleProceedings of the 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
LocationAtlanta, Georgia, USA
Research Areas System Security Lab, CYSEC, CROSSING, Solutions, S1, S2
Abstract Tens of millions of wearable fitness trackers are shipped yearly to consumers who routinely collect information about their exercising patterns. Smartphones push this health-related data to vendors’ cloud platforms, enabling users to analyze summary statistics on-line and adjust their habits. Third-parties including health insurance providers now offer discounts and financial rewards in exchange for such private infor mation and evidence of healthy lifestyles. Given the associated monetary value, the authenticity and correctness of the activity data collected becomes imperative. In this paper, we provide an in-depth security analysis of the operation of fitness trackers commercialized by Fitbit, the wearables market leader. We reveal an intricate security through obscurity approach implemented by the user activity synchronization protocol running on the devices we analyze. Although non-trivial to interpret, we reverse engineer the message semantics, demonstrate how falsified user activity reports can be injected, and argue that based on our discoveries, such attacks can be performed at scale to obtain financial gains. We further document a hardware attack vector that enables circumvention of the end-to-end protocol encryption present in the latest Fitbit firmware, leading to the spoofing of valid encrypted fitness data. Finally, we give guidelines for avoiding similar vulnerabilities in future system designs.
Website https://arxiv.org/pdf/1706.09165.pdf
[Export this entry to BibTeX]
[Back to List-View]

Important Copyright Notice:

The documents contained in these directories are included by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.

Previous Publications

ANASTASIA: ANdroid mAlware detection using STAtic analySIs of Applications
Hossein Fereidooni, Mauro Conti, Alessandro Sperduti, Danfeng Yao
In: Proceedings of 8th IFIP International Conference on New Technologies, Mobility & Security (NTMS), Cyprus, 21-23th November 2016

Efficient Classification of Android Malware in the wild using Robust Static Features
Hossein Fereidooni, Veelasha Moonsamy, Mauro Conti, Lejla Batina
Book Chapter: In Protecting Mobile Networks and Devices: Challenges and Solutions, CRC Press - Taylor & Francis, 2016 (Editors: Weizhi Meng, Xiapu Luo, Jianying Zhou, Steven Furnell)

Technical Report: Android Code Protection via Obfuscation Techniques: Past, Present and Future Directions
Parvez Faruki, Hossein Fereidooni, Vijay Laxmi, Manoj Singh Gaur, Mauro Conti

Secure Message Delivery Games for Device-to-Device Communications
Emmanouil Panaousis, Tansu Alpcan, Hossein Fereidooni, Mauro Conti
In Proceedings of 5th International Conference, on Decision and Game Theory for Security (GameSec 2014), Los Angeles, CA, USA, November 6-7th, 2014

E2E KEEP: End To End Key Exchange and Encryption Protocol for accelerated satellite networks
H. Fereidooni, H. Taheri, M. Mahramian
IJCNS International Journal of Communications, Network and System Sciences, Vol.5, No.4, April 2012

ML-IPSec+: An End to End Accelerated VPN for Satellite Links
H. Fereidooni, A. Parichehreh, H. Taheri, M. Mahramian, B. Eliasi
IJCSNS International Journal of Computer Science and Network Security, Vol.9, No.1, January 2009

A new Authentication and Key Exchange Protocol for Insecure Networks
H. Fereidooni, H. Taheri, M. Mahramian
The 5th International IEEE Conference on Wireless Communications, Networking and Mobile Computing (WICOM), China, 24-26th September, 2009

A A A | Drucken Drucken | Impressum Impressum | Sitemap Sitemap | Kontakt Kontakt | Webseitenanalyse: Mehr Informationen
zum Seitenanfangzum Seitenanfang