Wearables are like hacker candy. They represent a new category of technology that’s capable of storing data—including malware—that people don’t expect to get pwned. But that’s exactly what just happened: Hackers figured out how to remotely upload malware to a Fitbit. It only takes ten seconds.
Hack.Lu conference in Luxembourg tomorrow, said hackers will demonstrate a method for wirelessly loading malware onto a Fitbit Flex fitness tracker. The Register reports that this is “the first time malware has been viably delivered to fitness trackers.” Fortinet researcher Axelle Apvrille helped come up with the exploit and explains it it horrifying terms:
An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near.
[When] the victim wishes to synchronize his or her fitness data with FitBit servers to update their profile… the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.
It doesn’t sound like a big deal for a fitness tracker to be tainted with code. That is, until you remember that people plug these things into their computers. Apvrille continues:
From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers [Fitbits].
When you think about it, the little accessories are the perfect delivery system for malware. Unlike a USB stick, people probably don’t expect their fitness trackers to be a target for hackers.
The really frustrating thing about this exploit is the fact that Fitbit’s known about the vulnerability since March when the Fortinet researchers contacted them, but the company still hasn’t fixed it. Now that details are out in the open, let’s hope Fitbit ups its security game. In the meantime, maybe just leave that gadget at home.
Update (10.22.2015): FitBit sent us the following statement regarding the hack:
As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware. We will continue to monitor this issue.
Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.
Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22A8