The fitness bracelet on your wrist might be doing more than just counting calories. At least if it’s a Fitbit model, according to new findings by researchers at security firm Fortinet. A vulnerability in the device’s Bluetooth radio could allow a hacker to both manipulate code on the tracker itself, and theoretically deliver code to a computer.
Speaking at the Hack.Lu conference in Luxembourg, Fortinet security researcher Axelle Apvrille said she had developed a proof of concept attack that would allow a hacker to penetrate the device from anywhere within range of its radio’s Bluetooth. Even worse, the hack only takes 10 seconds to execute.
Spying Through a Bracelet
Apvrille disclosed the proof of concept during her “Geek usages for your Fitbit Flex tracker” talk. In her presentation, she discussed how hackers could use the devices to gather private information on the users through the tracker. For example, by hacking the accelerometer’s data, hackers could gather information on a user’s sexual activities.
But even in the case of less prurient data, the Fitbit vulnerability could be profitable for thieves. Since Fitbit incentivizes users to exercise more by offering rewards through partner organizations, hackers could exploit the vulnerability to create fake exercise data, generating as many rewards as they wanted.
Spying on users and manipulating exercise data might be the least of the problems the vulnerability presents, though. Apvrille reported that she had also been able to deliver code. In fact, she said she was able to successfully deliver commands to both the tracker and the dongle that connected to a user’s computer.
Beyond merely executing code on the tracker, Apvrille said she was able to use the tracker as a stepping-stone to infecting other machines. An attacker could, in principle, propagate an attack by initially injecting malicious code into the device. Then, when the tracker connected to a computer to synchronize its data, it could install a Trojan or set up a backdoor on the victim’s system.
Not So Bad?
Before throwing your Fitbit in the trash, there are some important caveats to the announcement. Apvrille emphasized that the vulnerability she discovered represented only a proof of concept. At the moment, no exploit using the vulnerability has been discovered active in the wild, and no malicious code has been written yet.
Furthermore, the bug only allows attackers to deliver a limited amount of code, up to 17 bytes. That’s not enough to allow a hacker to hijack the Fitbit for an advanced botnet, although it may be large enough to deliver other kinds of viruses. Apvrille said she alerted Fitbit to the exploit in March.
In a statement, a Fitbit spokesperson told us, “On Wednesday, October 21, 2015, reports began circulating in the media based on claims from security vendor Fortinet that Fitbit devices could be used to distribute malware. These reports are false.”
In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible, the spokesperson said. “Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required,” she added.
The spokesperson said Fortinet first contacted Fitbit in March to report a low-severity issue unrelated to malicious software. “Since that time we’ve maintained an open channel of communication with Fortinet,” the spokesperson said. “We have not seen any data to indicate that it is possible to use a tracker to distribute malware.”
According to the spokesperson, Fitbit has a history of working closely with the security research community and always welcomes thoughts and feedback from researchers. “The trust of our customers is paramount,” the spokesperson said. “We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to firstname.lastname@example.org.”