Fitbit denies its devices can be ‘hacked in 10 seconds’ – Updated

22 Oct 20152 Shares

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

In one of the more surprising security stories of recent days, Fitbit has come out to deny claims that its devices can be ‘hacked in 10 seconds’.

A security expert recently spoke at the Hacktivity Conference in Budapest, noting how many people in the audience were wearing Fitbits.

Axelle Apvrille, a senior researcher at Fortinet, then demonstrated how each device could be compromised via a Bluetooth connection.

Her presentation was just a “proof of concept”, rather than a full hack into the devices but, in theory, it all seems possible.

When in range, she said, a hacker could infect the wearable with code in just a few seconds.

While originally reported to mean that, upon putting malicious code onto a Fitbit, hackers could spread it amongst any linked devices, Apvrille has since explained that the hack would need to be executed on the host computer to do any damage.

That would require an exploit that does not currently exist.

Apvrille reportedly informed Fitbit of the vulnerability months ago, with little done since, it seems.

It should be noted that Apvrille presented this as an example from a security standpoint, and not something already out in the wild, yet Fitbit has come out in defence of its products, claiming Fortinet’s discovery was flagged back in March but it has “not seen any data to indicate that it is currently possible” to hack into the devices.

“We believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware,” said Fitbit in a statement. “We will continue to monitor this issue.”

Update (23 October, 7.20am) – Fitbit has since been in touch with further comment on the suggested security issues, saying:

On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user’s devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

 As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

 We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues.  We encourage individuals to report any security concerns with Fitbit’s products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.

Gordon Hunt is a journalist at Siliconrepublic.com

editorial@siliconrepublic.com