In one of the more surprising security stories of recent days, Fitbit has come out to deny claims that its devices can be ‘hacked in 10 seconds’.
A security expert recently spoke at the Hacktivity Conference in Budapest, noting how many people in the audience were wearing Fitbits.
Axelle Apvrille, a senior researcher at Fortinet, then demonstrated how each device could be compromised via a Bluetooth connection.
Her presentation was just a “proof of concept”, rather than a full hack into the devices but, in theory, it all seems possible.
When in range, she said, a hacker could infect the wearable with code in just a few seconds.
While originally reported to mean that, upon putting malicious code onto a Fitbit, hackers could spread it amongst any linked devices, Apvrille has since explained that the hack would need to be executed on the host computer to do any damage.
That would require an exploit that does not currently exist.
concerning that scenario of infecting a fitness tracker, it's important to read the slide on limitations 1/ it's a PoC, no malicious code
— Axelle Ap. (@cryptax) October 21, 2015
2/ to complete the scenario you'd need to execute the malicious code on the victim's host. This is yet to do (requires an exploit?)
— Axelle Ap. (@cryptax) October 21, 2015
3/ only 17 bytes available. Though I don't feel that's really an issue 4/ I lose a few bytes after reset (but I don't think that's a big pb)
— Axelle Ap. (@cryptax) October 21, 2015
Apvrille reportedly informed Fitbit of the vulnerability months ago, with little done since, it seems.
It should be noted that Apvrille presented this as an example from a security standpoint, and not something already out in the wild, yet Fitbit has come out in defence of its products, claiming Fortinet’s discovery was flagged back in March but it has “not seen any data to indicate that it is currently possible” to hack into the devices.
“We believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware,” said Fitbit in a statement. “We will continue to monitor this issue.”
Update (23 October, 7.20am) – Fitbit has since been in touch with further comment on the suggested security issues, saying:
On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user’s devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.
As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.
