Fitbit trackers may have a vulnerability that can let somebody within Bluetooth range quickly hack them, according to security company Fortinet. Worse yet, once the attackers are in, the device could infect any computer that tries to sync with the device. Via Twitter, Senior Fortinet researcher Axelle Apvrille told Engadget "you don't need physical access (to the tracker), but you do need to be close (Bluetooth range). It does not matter if it is paired (to another device) or not." When in range, a bad actor could infect the device in as little as 10 seconds. Apvrille informed Fitbit of the vulnerability back in March, but the wearable outfit has yet to fix the issue, according to the Register.
In addition, the vulnerability remains in the wearable even after it's reset. Once infected, the device can potentially install a virus, trojan or other vulnerability on your computer, even days later. "An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near," Apvrille said. While the Fitbit uses encryption, the Bluetooth transmitter itself is apparently wide open, allowing attackers in. If you want to find out more, Apvrille will present her findings via a video demonstration at the 2015.Hack.lu conference tomorrow in Luxembourg.
@AaronIsSocial you don't need physical access, but you need to be close (bluetooth range). It does not matter if it is paired or not.— Axelle Ap. (@cryptax) October 21, 2015
Update: Fitbit told Engadget that "we believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware." It said that while Fortinet did contact them to report a "low-severity issue," there was no indication it could be used to distribute malware. Aprville said (by Twitter) that while their hack was a proof-of-concept showing that code could be injected into the wearable, they didn't actually create any malicious code.
In addition, there's no known malicious code in the wild, and any code would actually need to be executed on the host computer to do any damage. It's also limited to 17 bytes or less, though Aprville didn't think that was a problem. Fitbit's full statement is below, as are the tweets from Fortinet's Aprville. The post has been updated to reflect this new information.
As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware. We will continue to monitor this issue.
Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit's products or online services to email@example.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.
concerning that scenario of infecting a fitness tracker, it's important to read the slide on limitations 1/ it's a PoC, no malicious code— Axelle Ap. (@cryptax) October 21, 2015
2/ to complete the scenario you'd need to execute the malicious code on the victim's host. This is yet to do (requires an exploit?)— Axelle Ap. (@cryptax) October 21, 2015
3/ only 17 bytes available. Though I don't feel that's really an issue 4/ I lose a few bytes after reset (but I don't think that's a big pb)— Axelle Ap. (@cryptax) October 21, 2015