• Blog
  • Research
  • Taking Control of "guest" Data from the Fitbit Aria Bathroom Scales

    25 September, 2018 | General Hackery

    I have a problem with a lot of IoT kit, and that problem is reliance on outside servers ("The Cloud") for no good reason. Like I said in my previous blog post on the Philips Hue, I like to run everything on my local network where I can keep an eye on it. This is mainly the reason I'm so selective about my lifelogging and home automation kit, and specifically, the main reason I don't own a Fitbit.

    Fitbit do, however, have a lovely little wi-fi connected device, the Aria, which is essentially a set of bathroom scales that sends your weight to a server. Unfortunately it only works with Fitbit's servers, so if you use other services to track your health and activity, you would be out of luck were it not for Helvetic, an ongoing open source project to create a fake Fitbit server on a local network that the Aria will talk to.

    However, my problem is quite specific. I don't live alone, and another member of the household is a Fitbit user. One day, the bathroom scales disappeared and an Aria appeared in their place. So I now have three requirements:

    1. I'd like to be able to make the scales log my weight to a local server, run by me.
    2. The scales, despite being able to detect individual users and link weight readings to the appropriate Fitbit account, still upload all weight measurements to Fitbit's server. I'd rather it didn't do that with mine.
    3. In the process of obtaining (1.) and (2.), the Fitbit user of the house (who, to be fair, paid for the scales!) should not be inconvenienced in any way, and their weight measurements should still be uploaded to Fitbit as normal.

    I've spent a few weeks sniffing HTTP traffic and trawling the web for documentation, and come up with Aria-Spoof, which I have put on Github with a public domain license. Installing it is quite a complicated process but it's fit-and-forget so you only need to do it once. The process involves having a device (such as a Raspberry Pi) on the same local network as the Aria, configured as a DNS server. It responds to all requests for www.fitbit.com with its own IP address, so the local Apache instance can effectively run a man-in-the-middle attack, as all communications are sent over HTTP. It sends all data linked to registered Fitbit users to Fitbit without modification, but any 'guest' data is fuzzed before being sent, and stored locally instead, in a nicely formatted JSON file which can be easily read by pretty much anything (including humans).