Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED ABOUT A MINUTE AGO.
You are here: Home / Data Security / Could Fitbit Tracker Be Hacked?
Could Fitbit Tracker Be Vulnerable to Quick Hack?
Could Fitbit Tracker Be Vulnerable to Quick Hack?
By Jef Cozza / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
OCTOBER
22
2015
The fitness bracelet on your wrist might be doing more than just counting calories. At least if it’s a Fitbit model, according to new findings by researchers at security firm Fortinet. A vulnerability in the device’s Bluetooth radio could allow a hacker to both manipulate code on the tracker itself, and theoretically deliver code to a computer.

Speaking at the Hack.Lu conference in Luxembourg, Fortinet security researcher Axelle Apvrille said she had developed a proof of concept attack that would allow a hacker to penetrate the device from anywhere within range of its radio’s Bluetooth. Even worse, the hack only takes 10 seconds to execute.

Spying Through a Bracelet

Apvrille disclosed the proof of concept during her “Geek usages for your Fitbit Flex tracker” talk. In her presentation, she discussed how hackers could use the devices to gather private information on the users through the tracker. For example, by hacking the accelerometer’s data, hackers could gather information on a user’s sexual activities.

But even in the case of less prurient data, the Fitbit vulnerability could be profitable for thieves. Since Fitbit incentivizes users to exercise more by offering rewards through partner organizations, hackers could exploit the vulnerability to create fake exercise data, generating as many rewards as they wanted.

Spying on users and manipulating exercise data might be the least of the problems the vulnerability presents, though. Apvrille reported that she had also been able to deliver code. In fact, she said she was able to successfully deliver commands to both the tracker and the dongle that connected to a user’s computer.

Beyond merely executing code on the tracker, Apvrille said she was able to use the tracker as a stepping-stone to infecting other machines. An attacker could, in principle, propagate an attack by initially injecting malicious code into the device. Then, when the tracker connected to a computer to synchronize its data, it could install a Trojan or set up a backdoor on the victim’s system.

Not So Bad?

Before throwing your Fitbit in the trash, there are some important caveats to the announcement. Apvrille emphasized that the vulnerability she discovered represented only a proof of concept. At the moment, no exploit using the vulnerability has been discovered active in the wild, and no malicious code has been written yet.

Furthermore, the bug only allows attackers to deliver a limited amount of code, up to 17 bytes. That’s not enough to allow a hacker to hijack the Fitbit for an advanced botnet, although it may be large enough to deliver other kinds of viruses. Apvrille said she alerted Fitbit to the exploit in March.

Fitbit Responds

In a statement, a Fitbit spokesperson told us, "On Wednesday, October 21, 2015, reports began circulating in the media based on claims from security vendor Fortinet that Fitbit devices could be used to distribute malware. These reports are false."

In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible, the spokesperson said. "Fitbit trackers cannot be used to infect users' devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required," she added.

The spokesperson said Fortinet first contacted Fitbit in March to report a low-severity issue unrelated to malicious software. "Since that time we've maintained an open channel of communication with Fortinet," the spokesperson said. "We have not seen any data to indicate that it is possible to use a tracker to distribute malware."

According to the spokesperson, Fitbit has a history of working closely with the security research community and always welcomes thoughts and feedback from researchers. "The trust of our customers is paramount," the spokesperson said. "We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit's products or online services to security@fitbit.com."

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN DATA SECURITY

NETWORK SECURITY SPOTLIGHT
China-based Vivo will be the first company to come out with a smartphone featuring an in-display sensor for fingerprint security, beating Apple, Samsung, and other device makers to the punch.

ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.