Fitbit Tracker Could Be Vulnerable to Quick Hack

The fitness bracelet on your wrist might be doing more than just counting calories. At least if itEUs a Fitbit model, according to new findings by researchers at security firm Fortinet. A vulnerability in the deviceEUs Bluetooth radio could allow a hacker to both manipulate code on the tracker itself, and theoretically deliver code to a computer.

Speaking at the Hack.Lu conference in Luxembourg, Fortinet security researcher Axelle Apvrille said she had developed a proof of concept attack that would allow a hacker to penetrate the device from anywhere within range of its radioEUs Bluetooth. Even worse, the hack only takes 10 seconds to execute.

Spying Through a Bracelet

Apvrille disclosed the proof of concept during her EUGeek usages for your Fitbit Flex trackerEU talk. In her presentation, she discussed how hackers could use the devices to gather private information on the users through the tracker. For example, by hacking the accelerometerEUs data, hackers could gather information on a userEUs sexual activities.

But even in the case of less prurient data, the Fitbit vulnerability could be profitable for thieves. Since Fitbit incentivizes users to exercise more by offering rewards through partner organizations, hackers could exploit the vulnerability to create fake exercise data, generating as many rewards as they wanted.

Spying on users and manipulating exercise data might be the least of the problems the vulnerability presents, though. Apvrille reported that she had also been able to deliver code. In fact, she said she was able to successfully deliver commands to both the tracker and the dongle that connected to a userEUs computer.

Beyond merely executing code on the tracker, Apvrille said she was able to use the tracker as a stepping-stone to infecting other machines. An attacker could, in principle, propagate an attack by initially injecting malicious code into the device....

Comments are closed.