Fortinet researcher, Axelle Apvrille discovered vulnerability in Fitbit device that opens it up simple malware attacks. More importantly, the malicious code that can be sent to a Fitbit device without the user’s knowledge can then infect a computer used to sync data collected by the wearable. According to Apvrille, Fitbit can be easily hacked over Bluetooth and needs just 10 seconds to be delivered. A hacker only has to be in the proximity of the target (Bluetooth range) to send the code and then wait for the target to connect his or her Fitbit to a PC. According to Apvrille, the malicious code can survive even if Fitbit is restarted after it is transmitted to Fitbit. Once that’s done, the second phase of the attack commences, as the malicious code can infect the computer with a backdoor, trojan or any other malicious program. “An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille said. “[When] the victim wishes to synchronize his or her fitness data with Fitbit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.” He continued, “From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”

The ease of delivery – the attack can be completed in under 10 seconds – means that hackers can easily gain access to a computer via the Fitbit device, potentially wrecking havoc. Apvrille informed Fitbit about the exploit in March 2015. It does not appear that Fitbit has patched the vulnerability however, Apvrille said he had found no indications of the bug being exploited in the wild. Apvrille will offer a proof-of-concept demonstration video at the Hack.Lu conference in Luxembourg. Fitbit reached out to us with this statement : “As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware. We will continue to monitor this issue. Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware. We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to [email protected]. More information about reporting security issues can be found online at https://www.fitbit.com/security/.”