Security researcher Axelle Apvrille demonstrated the vulnerabilities of the popular health tracker at the Hacktivity Conference in Budapest.
Apvrille, who works for Fortinet, showed how FitBit could theoretically be infected with malware that could then be transferred to the user’s computer. The security flaw exploits weaknesses in the device’s open Bluetooth connection, writes Amanda Schupak for CBS News.
Security researcher shows FitBit flaws
First off Apvrille manipulated data by reverse engineering the FitBit protocol, then she demonstrated how to send malware via Bluetooth to the wearable that would be transferred to the user’s computer during the next sync.
The payload was just 17 bytes, but more than enough to infect the FitBit with a Trojan or other small pieces of malware. Apvrille took to Twitter to underline the fact that infection is purely theoretical at this stage: “Note however the scenario where a small virus propagates is – I believe – possible but not yet demoed,” she wrote.
“She showed that the FitBit firmware has vulnerabilities that allowed her to plant arbitrary bytes into the FitBit, those bytes then being, ‘reflected’ to a computer talking to a Fitbit,” Guillaume Lovet, a senior manager at FortiGuard, part of Fortinet, told CBS News.
“She did not go as far as making a malicious payload with those bytes, that would exploit the computer (and plant some malware in it), but it is theoretically possible to do that,” he explained.
FitBit reassures customers over safety of device
Perhaps the most interesting part of the demonstration is that it showed how infection could theoretically occur in just 10 seconds, without any physical contact. As a result a hacker need only be within a short distance for 10 seconds in order to infect your FitBit.
Aprville told FitBit about the flaw in March and demonstrated her work once again at the Hack.lu event in Luxembourg this Wednesday.
“On Wednesday, October 21, 2015, reports began circulating in the media based on claims from security vendor Fortinet that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required,” a Fitbit spokesperson told CBS News.
The company added: “we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.”