Bad News! FitBit can be hacked that could allow hackers to infect any PC connected to it.
What's more surprising?
Hacking FitBit doesn't take more than just 10 Seconds.
Axelle Aprville, a researcher at the security company Fortinet, demonstrated "How to hack a Fitbit in only 10 seconds," at the Hack.Lu conference in Luxembourg.
Aprville's test was a proof of concept (POC) that did not actually focus on executing malicious payload, rather a logical attack.
By using only Bluetooth, Aprville was able to modify data on steps and distance. However, she said it is possible to infect the device in an attempt to spread malware to synced devices.
Fitbit Flex tracker is a flexible wristband that measures health statistics, such as blood pressure and heart rate.
The Flex is a product of Fitbit, and its salient features are:
- It can wake you up with a silent vibration alarm.
- The device is water-repellent.
- The sensor can be removed (and used with other Flex wristbands).
- It is synchronized via USB and can be used via the Fitbit app.
- It does wireless syncing via Bluetooth.
- It has an OLED display.
THE HACK
The hack, which was reported to Fitbit in March, makes use of the open Bluetooth connection of a Fitbit wearable.
According to the researcher, an attacker can send malware to the wearable fitness tracker nearby at a Bluetooth distance, which would then be transferred to any PC the Fitbit came into contact with.
Once infected, whenever the victim wishes to sync his or her fitness data with FitBit servers, the wearable tracker responds to the query, "but in addition to the standard message, the response is tainted with the infected code," Aprville told the Reg.
"From there, [the fitness tracker] can deliver a specific malicious payload on the [PC], that is, start a backdoor, or have the [system] crash [and] can propagate the infection to other trackers," Aprville added.
Video Demonstration
You can watch the video demonstration of the Fitbit Hack by Axelle Apvrille, which shows the attack in work.
How Does the Hack Work?
Here's How the researcher performed the "10 seconds" hack:
- Reverse engineer the Fitbit protocols and manipulate the number of tracked steps and distance covered by the user.
- After this, send a malicious payload (size: 17 bytes) over the Bluetooth signal to the wireless tracker.
- Now, transmit this payload to a computer.
The things worth noticing are:
- Tearing down Fitbit Flex and its USB dongle the researcher demonstrated how hackers could exploit the vulnerability to create fake exercise data and add as many rewards as they wanted.
- Aprville was able to connect to the wireless band and infect it too.
- Any laptop or PC that connects with the infected wearable device can potentially be infected with a trojan, backdoor, or whatever the attacker wants.
- The device could work as a hardware Random Number Generator (RNG).
- Could spy on users.
Aprville also mentions that the device's communication is over XML and Bluetooth Low Energy while encryption and decryption occur on the wearable device, and not on the dongle that is "outside of the security boundaries."
FitBit – Flaws Reported in Fitbit are 'FALSE'
Learning about the vulnerability in the Fitbit Flex trackers the company responded by saying, "We believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware."
A spokesperson from Fitbit said Fortinet first contacted Fitbit in March to report a low-severity issue unrelated to malicious software.
And...
"Since that time we've maintained an open channel of communication with Fortinet. We haven't seen any data to indicate that it is possible to use a tracker to distribute malware."
According to the company, Fitbit has a history of working closely with the research communities and it always welcomes thoughts and feedback from security researchers.