Hacking the Nike Fuel API

By nature I’m curious, I love technology and I love web application security and when it comes to combining the two well it gets me thinking.

And although this is not a security vunerablity with the wearable device its a reminder that data without proper validation and security controls data is simply untrusted.

FuelBand

I’ve been having a FuelBand for quite some time, but only recently curiousity kicked in of how data from the device can be used for my advantage.

The Interesting part

So I started with a simple process of trying to capture as much data as I can between the device and the Nike API, this was done via Fiddler.

In order to view HTTPS data via Fiddler you need to enable the decrypting HTTPS option under Tools > Fiddler Options > HTTPS, once thats in place you are ready to plug in the device and start capturing.

Once you have Fiddler running, you can start by plugging your Nike device into the USB port and watch closely at the sequence of events, in particular the POST sequence that does the upload of your data.

-------- POST URL --------

https://api.nike.com/v2.0/me/sync?access_token=xxxxxxxxxxxxxx

-------- Headers --------

Host: api.nike.com
Accept: application/json
Content-Type: application/json
appid: fuelband
cookie: AnalysisUserId=xx.xxx.xxxxx.xxxxxxxxxx
Content-Length: 1019363

-------- Request Body --------

{
   "calories" : 2,
   "detail" : [
      {
         "dataSeries" : [
            {
               "intervalMetric" : 1,
               "intervalType" : "time",
               "intervalUnit" : "min",
               "metrics" : [ "calories", "fuel", "steps", "stars" ],
               "objType" : "dataStream",
               "startTime" : 1411691423000,
               "value" : [
                  [ 1, 4, 0, 0 ],
                  [ 1, 5, 58, 0 ]
               ]
            }
         ],
         "name" : "data"
      }
   ],
   "dstOffset" : "01:00",
   "duration" : 2,
   "fuel" : 9,
   "stars" : 0,
   "startTime" : 1411691423000,
   "steps" : 58,
   "summary" : {
      "deviceConfig" : [
         {
            "component" : {
               "id" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
               "type" : "FUELBAND2",
               "version" : "0.46.2296a"
            }
         }
      ],
      "lastOffset" : 314612,
      "lastTimeStamp" : 1411692222000
   },
   "timeZone" : "-08:00",
   "timeZoneId" : "America/Los_Angeles",
   "type" : "all_day"
}

As you see above you can now easily reconstruct the HTTPS POST with your values for calories, fuel, steps etc…

Example Data

Here’s my FuelBand Data from 10/21/2014, as you can see that day I did 1100 Fuelpoints, easy when considering I did not move much that day.

FuelBand 1100

Here’s also another shot of zeroing in my data, as you can pass in negative values.

FuelBand Zero

You can also download the binary firmware of the FuelBand and run it by IDA for some fun.

Final Words

The purpose of this is to have users understand that your company-wide competitions (yes everybody is doing them these days) featuring who will do the most steps or burn the most calories are skewed, since anybody with a bit of knowledge can easily put 15,000 steps with a few commands, while watching Shark Tank.

I hope you enjoyed this.

Written on October 26, 2014