Fortinet researcher Axelle Aprvrille (@cryptax) has brought it to the attention of Fitbit that its trackers can be hacked in 10 seconds. Fitbits can be hacked over Bluetooth from just feet away. And once a Fitbit is hacked, it can infect the computers/devices the Fitbit is connected to.
Aprvrille told The Register: “[When] the victim wishes to synchronize his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.” She adds: “From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).” Aprvrille will present her findings at the Hack.Lu conference in Luxembourg on October 22. Hack.Lu describes itself as an “open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society.” At least you can take the Fitbit off. One of the Hack.Lu keynotes is research scientist Marie Moe’s account of having her implanted pacemaker be vulnerable in the Internet-of-Things.
Note: The following response was supplied by a FitBit spokesperson on October 22:
On Wednesday, October 21, 2015, reports began circulating in the media based on claims from security vendor Fortinet that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.
As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to [email protected]. More information about reporting security issues can be found online at https://www.fitbit.com/security/.