Fitbit Hacked In 10 Seconds

A Fortinet security researcher says the fitness tracker can be hacked by anyone within Bluetooth range and it doesn't matter if it's not paired to another device.

Larry Loeb, Blogger, Informationweek

October 22, 2015

4 Min Read
<p align="left">(Image: Fitbit)</p>

10 Cool Fitness Trackers That Aren't Apple Watch

10 Cool Fitness Trackers That Aren't Apple Watch


10 Cool Fitness Trackers That Aren't Apple Watch (Click image for larger view and slideshow.)

Fitbit fitness tracker can be easily hacked in as little as 10 seconds, according to a security researcher with Fortinet.

Building on a Bluetooth vulnerability that Dark Reading had previously written about, Senior Fortinet researcher Axelle Apvrille said that the device can be hacked by anyone within Bluetooth range. Bluetooth pairing does not have to occur for the hack to be successful.

Apvrille demonstrated the hack technique at Hacktivity 2015 in Budapest, Hungary. Her slides illustrate how initial penetration via Bluetooth occurs very simply.

Further, she said that the tracker can be hacked without physically compromising it.

The vulnerability was reported to the manufacturer in March, but no fix has been issued thus far.

While the Fitbit device itself can be easily accessed from a Bluetooth device, the USB dongle that is used by the bracelet to communicate with a PC (and then to the Fitbit servers) seems to use encrypted transmissions when communicating with the Internet.

In an abstract of a talk scheduled to be delivered at hack.lu 2015, Apvrille notes, "While reverse engineering, we noticed trackers now use end to end encryption for their communications with Fitbit servers."

It therefore seems that there is no exploitable vulnerability attributable to the device reporting data.

Can this vulnerability in Bluetooth connectivity be used to inject malware in the device? Apvrille showed a proof of concept (PoC) attack in the Hacktivity slides.

While she did not use a payload in the PoC, there were 17 bytes available for an injection space. Whether or not these 17 bytes could actually be a malware threat has sparked some debate on Twitter.

Fitbit responded to the assertions by telling Engadget that the product could not be used as an attack vector.

[ Read Security Researchers Validate Major Problems With IoT.]

"As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware. We will continue to monitor this issue."

Fitbit also admitted it knew about the vulnerability, "Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware."

As embedded devices get smaller and more wearable, this kind of discussion will undoubtedly occur again. Security will always depend on securing the entire system and all of its components, not just the individual parts.


(Editor's Note: After this article was posted, we received the following updated statement from Fitbit:

"On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

"As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

"We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit's products or online services to [email protected]. More information about reporting security issues can be found online at https://www.fitbit.com/security/.")

About the Author

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights