PCs, smartphones, and tablets are fair game to hackers these days. And we’ve also started to see cars with sophisticated infotainment systems and controls also getting hacked. But how about the innocent little whose sole purpose is to keep your body healthy? Well, now they’re getting hacked as well. And worse, they might be used to make other computers unhealthy. Fortinet researcher Axelle Apvrille reveals that the Fitbit is one such wearable that easily succumbs to a hack in just 10 seconds and can then spread the malware to computers it syncs with.
The scenario almost sounds like something straight out of a spy flick. An attacker gets within Bluetooth range of a Fitbit fitness tracker, near enough to establish a connection. It doesn’t need to be a long connection though, as 10 seconds is reportedly enough to drop the payload. Once the deed is done, the malware sits innocently in the wearable, waiting for the user to connect it to a PC to sync.
Once the FitBit tries to communicate with PC to update the user’s profile, it also dumps malicious code that can create a backdoor on the computer or cause the machine to crash. Even worse, the infected computer can then also infect other Fitbits that connect to it, spreading the malware around. The malware on the Fitbit itself persists even when the wearable is restarted.
This is probably the first recorded, hacking attempt targeting wearables but it’s not exactly new. According to The Register, Apvrille says that he already reported the issue to Fitbit back in March. Half a year later, the vulnerability still exists as Fitbit seems to simply regard this not as a critical security problem but a bug that needs to be fixed some time in the future. Apvrille with present a proof-of-concept demo of the vulnerability at the Hack.Lu conference in Luxembourg this week.
UPDATE: Fitbit responds with the following statement.
“On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.
As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to firstname.lastname@example.org. More information about reporting security issues can be found online at https://www.fitbit.com/security/.” – Fitbit Spokesperson