Researcher shows how it could take hackers just 10 seconds to wirelessly upload malware to a FitBit

By midian182 ยท 4 replies
Oct 22, 2015
Post New Reply
  1. In recent times, hackers have been discovering ways to exploit wireless systems in a number of devices, from vehicle infotainment centers to self-aiming sniper rifles. It now seems another gadget may be added to this list, as Fortinet researcher Axelle Apvrille has revealed that fitness-tracking wristband FitBit, which has sold more than 20 million devices worldwide, can theoretically be hacked in just ten seconds and used to spread malware to any computer it syncs with.

    According to The Register, an attack on a FitBit via Bluetooth would only require an attacker to be a few feet from a target for around ten seconds after the devices connect. Any computer that later connects with the wearable can be infected with a backdoor, trojan, or some other form of malware used by the hacker.

    An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near. [When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile […] the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).

    Apvrille will be presenting a proof-of-concept demonstration video at the Hack.Lu conference taking place in Luxembourg today. "The video demonstrates that the infection persists over multiple messages," she says. "Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code."

    FitBit have apparently been aware of the problem since March when Apvrille contacted the company about it. FitBit says it believes the vulnerability, which the first instance of a fitness wearable shown to be potentially hackable, is a low-severity issue and unrelated to malicious software. The researcher has pointed out that the attack is a proof of concept and not something that's in the wild.

    This isn’t the first instance of FitBit making headlines due to security failings. In 2011, blogger Andy Baio tweeted that Fitbit fitness band users’ sexual activity was showing up in Google search results by accident, revealing whether they had engaged in "vigorous" or “passive and light” efforts.

    Permalink to story.

  2. tonylukac

    tonylukac TS Evangelist Posts: 1,372   +69

    Try applying to the ymca anyway. They don't mail you anything yearly to renew, and twice I was not sent the application when calling to request it. Happens every year. Let's all hire some programmers. Nice tho that they don't deduct the money from your bank account forever like on that friends episode, as I have wire transfer. Have lost more weight walking to the bus than on the treadmill, since I don't drive anymore. Like those college days when I could eat a horse and not gain weight (due to walking) and like it. Stamina too.
  3. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,274

    10 seconds? Why does it take so long? Are hackers getting slower these days?
    MonsterZero likes this.
  4. MonsterZero

    MonsterZero TS Evangelist Posts: 440   +223

    The friend bisons the shock. Learning familiarizes the peace, why does the education communicate the true regret? The jobless view restores the behavior, how does the level consult the futuristic authority?
  5. tonylukac

    tonylukac TS Evangelist Posts: 1,372   +69

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...