FitBit blasts hacking claims as false

Security researcher admits her allegations were "not possible", says device manufacturer

23/10/2015: Claims that FitBit fitness trackers can spread malware are false, according to the manufacturer.

Security researcher Axelle Apvrille, of Fortinet, said hackers could send malware via Bluetooth to FitBit devices within 10 seconds, then use them as platforms to distribute malware to a user's other devices when the FitBit connects to them.

The news made headlines two days ago, but today FitBit called the claims fake, and said the researcher had confessed the hack would not work in reality.

A spokeswoman said: "These reports are false. In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required."

Fortinet first contacted FitBit about the alleged flaw back in March regarding a "low-severity issue" that had nothing to do with malware, IT Pro understands, and since then FitBit has received no indication that its fitness trackers could distribute malware.

The FitBit spokeswoman added: "We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues.  We encourage individuals to report any security concerns with Fitbit's products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/."

IT Pro has approached Fortinet for comment.

21/10/2015: A flaw has been discovered in the FitBit fitness tracker that could allow a hacker to spread malware very quickly.

According to Fortinet researcher Axelle Apvrille, a hacker could gain access to the wearable within 10 seconds. The infected tracker could then spread malware to other computers whenever the FitBit connects to them.

"An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near," she told the Register.

When the victim syncs their data with FitBit servers, the infected device sends that data alongside the infected code. The tracker can then deliver a malicious payload to a PC, such as a backdoor or crash the computer, as well as propagating itself to other FitBit devices.

Among the hacks that can be carried out are increasing the number of steps taken or distances covered in order to earn achievement badges.

The manufacturers were warned of the bug back in March, and at the time of writing, a fix is still being worked on.

Apvrille will demo a proof-of-concept of the flaw at the Hack.Lu conference this week. She said a video demonstrates how the infection persists over multiple messages.

Ryan O'Leary, senior director of the Threat Research Centre at WhiteHat Security said that in creating a small wireless network, a user opens themselves up to others in the area being able to exploit flaws and connect to their personal network.

"In some cases an attacker might not even need to exploit any weakness, there's a Bluetooth mode that allows any device to connect to the network without security measures," he said.

"The range of Bluetooth is surprisingly far as evidence by the FitBit hack which allows attackers to be several meters away and still connect to the users Bluetooth network. Unfortunately for the user there is no easy way to protect yourself against these attacks and still use the Bluetooth technology. The manufacturers of these devices need to balance the ease of using the device as well as the security of the device to make a product that is secure."

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
Access brokers are making it easier for ransomware operators to attack businesses
cyber security

Access brokers are making it easier for ransomware operators to attack businesses

1 Dec 2021