"An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near," Apvrille told The Register. "[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits)."This is reportedly the first time malware has been delivered to a fitness tracker. A proof-of-concept video of the hack can be viewed here. Additionally, Apvrille will be presenting her research, which exploits a vulnerability she warned FitBit about back in March of this year and which the company expects will be patched at some point, on Wednesday at this year's Hack.lu conference.
"Fitness Flex is a fitness wristband which records your fitness activity: walking, running - and also sleep efficiency," begins the description for her presentation, entitled "Geek usages for your FitBit Flex tracker". "Since prior infamous security and privacy issues - such as public web disclosure of sexual activity - Fitbit has made significant progress. While reverse engineering, we noticed trackers now use end to end encryption for their communications with Fitbit servers. Is this good? or bad? What happens if Fitbit servers are unreachable ? What can we possibly do with the wristband besides activity tracking?"Apvrille is well respected for her malware research, which includes her discovery back in the spring of last year that more than 75,000 iPhone users of jailbroken devices had been targeted by Chinese AdThief malware.