A security researcher has developed a method by which one can exploit a vulnerability in FitBit fitness trackers and subsequently deliver malware to the target device in 10 seconds.
Axelle Apvrille (@cryptax), a malware researcher at network security firm Fortinet, has found that FitBit wearables are open on their Bluetooth ports, a property which could enable an attacker to connect a device from within a few meters away and deliver malware to the bracelet.
The hack takes about 10 seconds to complete and requires a minute to verify. Once the malware has been delivered, any device–laptop, PC, or otherwise–that connects to the wearable can be infected with a backdoor, trojan, or other malicious software program.
“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille told The Register. “[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”
This is reportedly the first time malware has been delivered to a fitness tracker.
A proof-of-concept video of the hack can be viewed here.
Additionally, Apvrille will be presenting her research, which exploits a vulnerability she warned FitBit about back in March of this year and which the company expects will be patched at some point, on Wednesday at this year’s Hack.lu conference.
“Fitness Flex is a fitness wristband which records your fitness activity: walking, running – and also sleep efficiency,” begins the description for her presentation, entitled “Geek usages for your FitBit Flex tracker“. “Since prior infamous security and privacy issues – such as public web disclosure of sexual activity – Fitbit has made significant progress. While reverse engineering, we noticed trackers now use end to end encryption for their communications with Fitbit servers. Is this good? or bad? What happens if Fitbit servers are unreachable ? What can we possibly do with the wristband besides activity tracking?”
Apvrille is well respected for her malware research, which includes her discovery back in the spring of last year that more than 75,000 iPhone users of jailbroken devices had been targeted by Chinese AdThief malware.