23/10/2015: Claims that FitBit fitness trackers can spread malware are false, according to the manufacturer.
Security researcher Axelle Apvrille, of Fortinet, said hackers could send malware via Bluetooth to FitBit devices within 10 seconds, then use them as platforms to distribute malware to a user's other devices when the FitBit connects to them.
The news made headlines two days ago, but today FitBit called the claims fake, and said the researcher had confessed the hack would not work in reality.
A spokeswoman said: "These reports are false. In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required."
Fortinet first contacted FitBit about the alleged flaw back in March regarding a "low-severity issue" that had nothing to do with malware, IT Pro understands, and since then FitBit has received no indication that its fitness trackers could distribute malware.
The FitBit spokeswoman added: "We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit's products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/."
IT Pro has approached Fortinet for comment.
21/10/2015: A flaw has been discovered in the FitBit fitness tracker that could allow a hacker to spread malware very quickly.
According to Fortinet researcher Axelle Apvrille, a hacker could gain access to the wearable within 10 seconds. The infected tracker could then spread malware to other computers whenever the FitBit connects to them.
"An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near," she told the Register.
When the victim syncs their data with FitBit servers, the infected device sends that data alongside the infected code. The tracker can then deliver a malicious payload to a PC, such as a backdoor or crash the computer, as well as propagating itself to other FitBit devices.
Among the hacks that can be carried out are increasing the number of steps taken or distances covered in order to earn achievement badges.
The manufacturers were warned of the bug back in March, and at the time of writing, a fix is still being worked on.
Apvrille will demo a proof-of-concept of the flaw at the Hack.Lu conference this week. She said a video demonstrates how the infection persists over multiple messages.
Ryan O'Leary, senior director of the Threat Research Centre at WhiteHat Security said that in creating a small wireless network, a user opens themselves up to others in the area being able to exploit flaws and connect to their personal network.
"In some cases an attacker might not even need to exploit any weakness, there's a Bluetooth mode that allows any device to connect to the network without security measures," he said.
"The range of Bluetooth is surprisingly far as evidence by the FitBit hack which allows attackers to be several meters away and still connect to the users Bluetooth network. Unfortunately for the user there is no easy way to protect yourself against these attacks and still use the Bluetooth technology. The manufacturers of these devices need to balance the ease of using the device as well as the security of the device to make a product that is secure."
