Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Hackers Can Wirelessly Upload Malware to a Fitbit in 10 Seconds

Illustration for article titled Hackers Can Wirelessly Upload Malware to a Fitbit in 10 Seconds

Wearables are like hacker candy. They represent a new category of technology that’s capable of storing data—including malware—that people don’t expect to get pwned. But that’s exactly what just happened: Hackers figured out how to remotely upload malware to a Fitbit. It only takes ten seconds.

Advertisement

Hack.Lu conference in Luxembourg tomorrow, said hackers will demonstrate a method for wirelessly loading malware onto a Fitbit Flex fitness tracker. The Register reports that this is “the first time malware has been viably delivered to fitness trackers.” Fortinet researcher Axelle Apvrille helped come up with the exploit and explains it it horrifying terms:

An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near.

[When] the victim wishes to synchronize his or her fitness data with FitBit servers to update their profile… the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.

Advertisement

It doesn’t sound like a big deal for a fitness tracker to be tainted with code. That is, until you remember that people plug these things into their computers. Apvrille continues:

From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers [Fitbits].

When you think about it, the little accessories are the perfect delivery system for malware. Unlike a USB stick, people probably don’t expect their fitness trackers to be a target for hackers.

The really frustrating thing about this exploit is the fact that Fitbit’s known about the vulnerability since March when the Fortinet researchers contacted them, but the company still hasn’t fixed it. Now that details are out in the open, let’s hope Fitbit ups its security game. In the meantime, maybe just leave that gadget at home.

Advertisement

Update (10.22.2015): FitBit sent us the following statement regarding the hack:

As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware. We will continue to monitor this issue.

Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware.

We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.

Advertisement

[The Register]


Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22A8

Advertisement

Share This Story

Get our newsletter

DISCUSSION

platypus222
Platypus Man

It doesn’t sound like a big deal for a fitness tracker to be tainted with code. That is, until you remember that people plug these things into their computers.

Not just your computer, but by default Fitbit devices will sync with any computer it passes within range of that’s running the software (and has Bluetooth or at least the included Bluetooth dongle). So even if you leave your Fitbit at home, someone else’s infected Fitbit could infect your computer if you’re still running their stuff.

People also often sync them with their phones, so that’s another potential avenue of spreading.