FitBit blasts hacking claims as false

Security researcher admits her allegations were "not possible", says device manufacturer

23/10/2015: Claims that FitBit fitness trackers can spread malware are false, according to the manufacturer.

Security researcher Axelle Apvrille, of Fortinet, said hackers could send malware via Bluetooth to FitBit devices within 10 seconds, then use them as platforms to distribute malware to a user's other devices when the FitBit connects to them.

The news made headlines two days ago, but today FitBit called the claims fake, and said the researcher had confessed the hack would not work in reality.

A spokeswoman said: "These reports are false. In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required."

Fortinet first contacted FitBit about the alleged flaw back in March regarding a "low-severity issue" that had nothing to do with malware, IT Pro understands, and since then FitBit has received no indication that its fitness trackers could distribute malware.

The FitBit spokeswoman added: "We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues.  We encourage individuals to report any security concerns with Fitbit's products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/."

IT Pro has approached Fortinet for comment.

21/10/2015: A flaw has been discovered in the FitBit fitness tracker that could allow a hacker to spread malware very quickly.

According to Fortinet researcher Axelle Apvrille, a hacker could gain access to the wearable within 10 seconds. The infected tracker could then spread malware to other computers whenever the FitBit connects to them.

"An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near," she told the Register.

When the victim syncs their data with FitBit servers, the infected device sends that data alongside the infected code. The tracker can then deliver a malicious payload to a PC, such as a backdoor or crash the computer, as well as propagating itself to other FitBit devices.

Among the hacks that can be carried out are increasing the number of steps taken or distances covered in order to earn achievement badges.

The manufacturers were warned of the bug back in March, and at the time of writing, a fix is still being worked on.

Apvrille will demo a proof-of-concept of the flaw at the Hack.Lu conference this week. She said a video demonstrates how the infection persists over multiple messages.

Ryan O'Leary, senior director of the Threat Research Centre at WhiteHat Security said that in creating a small wireless network, a user opens themselves up to others in the area being able to exploit flaws and connect to their personal network.

"In some cases an attacker might not even need to exploit any weakness, there's a Bluetooth mode that allows any device to connect to the network without security measures," he said.

"The range of Bluetooth is surprisingly far as evidence by the FitBit hack which allows attackers to be several meters away and still connect to the users Bluetooth network. Unfortunately for the user there is no easy way to protect yourself against these attacks and still use the Bluetooth technology. The manufacturers of these devices need to balance the ease of using the device as well as the security of the device to make a product that is secure."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021