Fitbits are popular devices among people who like to track their steps and exercise. But new research reveals that a Fitbit device is unprotected against simple malware attacks. More importantly, the malicious code that can be sent to a Fitbit device without the user’s knowledge can then infect a computer used to sync data collected by the wearable.
DON’T MISS: I wish the iPhone had copied HTC instead
UPDATE: Statements from Fitbit and more tweets from the researcher who first mentioned the issue are available at the end of this post, revealing the issue isn’t as dangerous to users as initially believed.
Fortinet researcher Axelle Apvrille has discovered the hack, The Register reports. The initial attack occurs over Bluetooth and needs just 10 seconds to be delivered. A hacker only has to be in the proximity of the target to send the code and then wait for the target to connect his or her Fitbit to a PC. After it’s transmitted to the Fitbit device, the code can survive even after a Fitbit is restarted.
Once that’s done, the second phase of the attack commences, as the malicious code can infect the computer with a backdoor, trojan or any other malicious program.
“An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille said. “[When] the victim wishes to synchronize his or her fitness data with Fitbit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.”
He continued, “From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”
Fitbit was informed about the problem in March, but the company sees it as a bug that will be squashed at some point; it’s not clear whether anyone is currently using this particular technique to target Fitbit users. Apvrille will offer a proof-of-concept demonstration video at the Hack.Lu conference in Luxembourg.
UPDATE: Fitbit issued the following statement on the hack, denying the threat is real.
As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware. We will continue to monitor this issue.
Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.
UPDATE 2:
Fitbit revised its statement after Apvrille confirmed to the company this is only a theoretical scenario and it can’t be used to infect user devices with malware:
On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.
As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.”
A series of tweets from Apvrille seem to further detail the matter, insisting this is a proof of concept that requires a second exploit to work.
@zittrain note however the scenario where a small virus propagates is – I believe – possible but not yet demoed. Need exploit on sync host.
— Axelle Ap. (@cryptax) October 21, 2015
concerning that scenario of infecting a fitness tracker, it's important to read the slide on limitations 1/ it's a PoC, no malicious code
— Axelle Ap. (@cryptax) October 21, 2015
2/ to complete the scenario you'd need to execute the malicious code on the victim's host. This is yet to do (requires an exploit?)
— Axelle Ap. (@cryptax) October 21, 2015
3/ only 17 bytes available. Though I don't feel that's really an issue 4/ I lose a few bytes after reset (but I don't think that's a big pb)
— Axelle Ap. (@cryptax) October 21, 2015
