Fitbit hacked from 10 feet away, security firm says

My buddy Aamir aka dr chaos was featured on multiple websites for research his team was involved with regarding a vulnerbility with the Fitbit tracker. The original story from USA today can be found HERE.

Corrections & Clarifications: A previous version of this story said that a Fitbit was hacked with malware. Instead, the code the Fortinet researcher was able to inject into a Fitbit Flex via Bluetooth was placeholder code.

SAN FRANCISCO—A researcher presenting at a European computer security conference demonstrated how it was possible to send computer code  into a Fitbit, giving her a potential back door to enter cells phones or computers synched to the fitness device, according to security company Fortinet.

“Our researcher was able to take a Bluetooth antenna, take her laptop and scan the air for devices,” said Aamir Lakhani, chief security analyst with Fortinet, a Sunnyvale, Calif.-based computer security company, told USA TODAY after the demonstration.

Once Fortinet researcher Axelle Apvrille found a Fitbit in the vicinity, she used its Bluetooth connection to upload a small piece of unauthorized  software into the device, Lakhani said. This is proof of concept that such an attack is possible, he said.

Apvrille had to be within ten feet of the Fitbit for her exploit to work.

BLUETOOTH LINK

When the Fitbit was synched via Bluetooth up to a smart phone or laptop, she possibly could have sent software to the connecting device as the Fitbit uploaded its data, said Lakhani.

However Fortinet clarified Thursday that Apvrille was only able to upload placeholder code and so had no proof that it was actually possible to transfer malware from a Fitbit to a second device.

Fitbit said it was not possible to infect a Fitbit device with malware via Bluetooth.

“The Fortinet researcher Axelle Apvrille, who originally made these claims, has confirmed to Fitbit that this was only a theoretical scenario and is not possible,” said Sasha Biskup, Fitbit’s director of security.

Fitbit trackers cannot be used to infect user’s devices with malware, Biskup said.

The company said it will continue to monitor the issue.

Apvrille presented her research Wednesday at Hack.lu, a security conference held in Luxembourg.

She used a Fitbit Flex, a fitness wristband that records the users’ fitness activities such as walking and  running. Using BlueTooth, the user can then upload their information to the phone or computer.

The software Apvrille inserted into the Fitbit was very small, “just a few lines of code,” said Lakhani.

Apvrille posted a video of the experiment on YouTube. She informed FitBit of her findings this summer, Lakhani said.

No one has seen an attack like this “in the wild” and it’s considered simply a proof of concept, said Lakhani. “This specific attack was very specific to Fitbit,” he said.

EXPERT: ‘IT’S AN ENTRY’

Based on what he’s seen, and the generally poor quality of Bluetooth security, “I would have no reason to suspect that this is not a real issue,” said Ryan O’Leary, senior director of threat research at WhiteHat Security, a Santa Clara, Calif.-based computer security company.

While it wouldn’t be possible to craft a “mega exploit” out of this, “it’s an entry. You’re basically making a little bit of a back door into their system. You potentially could do a lot of negative things with [the user’s] machine,” he said.

However given that the would-be attacker must be within ten feet of the Fitbit, this particular hack is unlikely to become a major problem.

“You have to be around somebody with a Fitbit for at least ten seconds. So it probably doesn’t harm a lot of people,” O’Leary said.

Bad guys want to infect millions of people, he said, “not just the two or three who run by.”