Fitbit fitness tracker can be easily hacked in as little as 10 seconds, according to a security researcher with Fortinet.
Building on a Bluetooth vulnerability that Dark Reading had previously written about, Senior Fortinet researcher Axelle Apvrille said that the device can be hacked by anyone within Bluetooth range. Bluetooth pairing does not have to occur for the hack to be successful.
Further, she said that the tracker can be hacked without physically compromising it.
The vulnerability was reported to the manufacturer in March, but no fix has been issued thus far.
While the Fitbit device itself can be easily accessed from a Bluetooth device, the USB dongle that is used by the bracelet to communicate with a PC (and then to the Fitbit servers) seems to use encrypted transmissions when communicating with the Internet.
In an abstract of a talk scheduled to be delivered at hack.lu 2015, Apvrille notes, "While reverse engineering, we noticed trackers now use end to end encryption for their communications with Fitbit servers."
It therefore seems that there is no exploitable vulnerability attributable to the device reporting data.
Can this vulnerability in Bluetooth connectivity be used to inject malware in the device? Apvrille showed a proof of concept (PoC) attack in the Hacktivity slides.
While she did not use a payload in the PoC, there were 17 bytes available for an injection space. Whether or not these 17 bytes could actually be a malware threat has sparked some debate on Twitter.
Fitbit responded to the assertions by telling Engadget that the product could not be used as an attack vector.
"As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware. We will continue to monitor this issue."
Fitbit also admitted it knew about the vulnerability, "Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware."
As embedded devices get smaller and more wearable, this kind of discussion will undoubtedly occur again. Security will always depend on securing the entire system and all of its components, not just the individual parts.
(Editor's Note: After this article was posted, we received the following updated statement from Fitbit:
"On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.
"As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.
"We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit's products or online services to [email protected] More information about reporting security issues can be found online at https://www.fitbit.com/security/.")