Fitbit Hacked In 10 Seconds - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
03:30 PM
Larry Loeb
Larry Loeb

Fitbit Hacked In 10 Seconds

A Fortinet security researcher says the fitness tracker can be hacked by anyone within Bluetooth range. It doesn't matter whether or not it's paired with another device.

10 Cool Fitness Trackers That Aren't Apple Watch
10 Cool Fitness Trackers That Aren't Apple Watch
(Click image for larger view and slideshow.)

Fitbit fitness tracker can be easily hacked in as little as 10 seconds, according to a security researcher with Fortinet.

Building on a Bluetooth vulnerability that Dark Reading had previously written about, Senior Fortinet researcher Axelle Apvrille said that the device can be hacked by anyone within Bluetooth range. Bluetooth pairing does not have to occur for the hack to be successful.

Apvrille demonstrated the hack technique at Hacktivity 2015 in Budapest, Hungary. Her slides illustrate how initial penetration via Bluetooth occurs very simply.

Further, she said that the tracker can be hacked without physically compromising it.

The vulnerability was reported to the manufacturer in March, but no fix has been issued thus far.

While the Fitbit device itself can be easily accessed from a Bluetooth device, the USB dongle that is used by the bracelet to communicate with a PC (and then to the Fitbit servers) seems to use encrypted transmissions when communicating with the Internet.

(Image: Fitbit)

(Image: Fitbit)

In an abstract of a talk scheduled to be delivered at 2015, Apvrille notes, "While reverse engineering, we noticed trackers now use end to end encryption for their communications with Fitbit servers."

It therefore seems that there is no exploitable vulnerability attributable to the device reporting data.

Can this vulnerability in Bluetooth connectivity be used to inject malware in the device? Apvrille showed a proof of concept (PoC) attack in the Hacktivity slides.

While she did not use a payload in the PoC, there were 17 bytes available for an injection space. Whether or not these 17 bytes could actually be a malware threat has sparked some debate on Twitter.

Fitbit responded to the assertions by telling Engadget that the product could not be used as an attack vector.

[ Read Security Researchers Validate Major Problems With IoT.]

"As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware. We will continue to monitor this issue."

Fitbit also admitted it knew about the vulnerability, "Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware."

As embedded devices get smaller and more wearable, this kind of discussion will undoubtedly occur again. Security will always depend on securing the entire system and all of its components, not just the individual parts.

(Editor's Note: After this article was posted, we received the following updated statement from Fitbit:

"On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

"As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

"We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit's products or online services to [email protected] More information about reporting security issues can be found online at")

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
10/27/2015 | 12:04:33 PM
Re: Why would you hack that?
Well, its personal information that can be aggrandized and resold.

You could say to a local gym: get info on your users or something.

But using this as an attack vector to the PC that connects to it seems not to be viable.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Pandemic Responses Make Room for More Data Opportunities
Jessica Davis, Senior Editor, Enterprise Apps,  5/4/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Transformation, Disruption, and Gender Diversity in Tech
Joao-Pierre S. Ruth, Senior Writer,  5/6/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll