Fitbit Hacked In 10 Seconds - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Devices
Commentary
10/22/2015
03:30 PM
Larry Loeb
Larry Loeb
Commentary
50%
50%

Fitbit Hacked In 10 Seconds

A Fortinet security researcher says the fitness tracker can be hacked by anyone within Bluetooth range. It doesn't matter whether or not it's paired with another device.

10 Cool Fitness Trackers That Aren't Apple Watch
10 Cool Fitness Trackers That Aren't Apple Watch
(Click image for larger view and slideshow.)

Fitbit fitness tracker can be easily hacked in as little as 10 seconds, according to a security researcher with Fortinet.

Building on a Bluetooth vulnerability that Dark Reading had previously written about, Senior Fortinet researcher Axelle Apvrille said that the device can be hacked by anyone within Bluetooth range. Bluetooth pairing does not have to occur for the hack to be successful.

Apvrille demonstrated the hack technique at Hacktivity 2015 in Budapest, Hungary. Her slides illustrate how initial penetration via Bluetooth occurs very simply.

Further, she said that the tracker can be hacked without physically compromising it.

The vulnerability was reported to the manufacturer in March, but no fix has been issued thus far.

While the Fitbit device itself can be easily accessed from a Bluetooth device, the USB dongle that is used by the bracelet to communicate with a PC (and then to the Fitbit servers) seems to use encrypted transmissions when communicating with the Internet.

(Image: Fitbit)

(Image: Fitbit)

In an abstract of a talk scheduled to be delivered at hack.lu 2015, Apvrille notes, "While reverse engineering, we noticed trackers now use end to end encryption for their communications with Fitbit servers."

It therefore seems that there is no exploitable vulnerability attributable to the device reporting data.

Can this vulnerability in Bluetooth connectivity be used to inject malware in the device? Apvrille showed a proof of concept (PoC) attack in the Hacktivity slides.

While she did not use a payload in the PoC, there were 17 bytes available for an injection space. Whether or not these 17 bytes could actually be a malware threat has sparked some debate on Twitter.

Fitbit responded to the assertions by telling Engadget that the product could not be used as an attack vector.

[ Read Security Researchers Validate Major Problems With IoT.]

"As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware. We will continue to monitor this issue."

Fitbit also admitted it knew about the vulnerability, "Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware."

As embedded devices get smaller and more wearable, this kind of discussion will undoubtedly occur again. Security will always depend on securing the entire system and all of its components, not just the individual parts.


(Editor's Note: After this article was posted, we received the following updated statement from Fitbit:

"On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

"As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

"We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit's products or online services to [email protected] More information about reporting security issues can be found online at https://www.fitbit.com/security/.")

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
larryloeb
50%
50%
larryloeb,
User Rank: Author
10/27/2015 | 12:04:33 PM
Re: Why would you hack that?
Well, its personal information that can be aggrandized and resold.

You could say to a local gym: get info on your users or something.

But using this as an attack vector to the PC that connects to it seems not to be viable.
kstaron
50%
50%
kstaron,
User Rank: Ninja
10/27/2015 | 11:46:11 AM
Why would you hack that?
Would there be a reason, given that the FitBit can't transfer malware to other devices, that anyone would want to bother hacking a FitBit? I can't imagine a hacker interested in how many steps I took today or whatnot.
News
Watch Out: 7 Digital Disruptions for IT Leaders
Jessica Davis, Senior Editor, Enterprise Apps,  11/18/2019
Commentary
Enterprise Guide to Data Privacy
Cathleen Gagne, Managing Editor, InformationWeek,  11/22/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll