What happens after the world learns a hacker can wirelessly infect a Fitbit with malware in 10 short seconds? Security drama.
At the Hack.Lu 2015 security conference in Luxembourg, Fortinet researcher Axelle Apvrille (@cryptax) presented a proof-of-concept vulnerability in Fitbit fitness trackers; an attacker in close range needed only 10 seconds to wirelessly inject malicious code into a Fitbit wristband via a Bluetooth connection. The foreign code could persist and then infect a PC or other devices to which the Fitbit connects.
FitBit was quick to come out swinging in defense; issuing numerous statements such as the following to NBC News. “These reports are false. In fact, the Fortinet researcher Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.”
Apvrille, however, basically replied, Hey, don’t get it wrong! She has not retracted her research or demo as her research is accurate.
During her presentation, Apvrille mentioned previous privacy issues such as the public disclosure of sexual activity that Fitbit fixed before asking, “What can we possibly do with the wristband besides activity tracking?” Her presentation, “Geek usages for your Fitbit Flex tracker” (pdf), noted that steps, distance, calories and very active minutes could all abused, aka hacked, “without opening/compromising the tracker.”
The portion which really snagged the attention of security and privacy-minded individuals was when Apvrille demonstrated how Fitbit Flex could be infected via Bluetooth. Granted, while the maximum bytes of foreign code to infect Fitbit are only 17, she pointed out that the Trojan capable of crashing Pentium was a mere four bytes and the Mini DOS virus was only 13 bytes.
“An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille says. “When the victim wishes to synchronize his or her fitness data with Fitbit servers to update their profile ... the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”
Since Fitbit has been busy issuing denials, Apvrille took to Twitter to say:
Fitbit could be freaking out over the bad press because wearables are big business. There were about 70 million fitness trackers sold in 2014. Fitbit announced it had sold 4.5 million wearable devices just in the second quarter of 2015, which resulted in a 250% revenue increase from the second quarter of 2014. Fitbit expects to rake in $1.6 - $1.7 billion in revenue during 2015. In other words, Fitbit health and fitness trackers are exceedingly popular. Even President Obama wears a Fitbit; he’s been wearing a Fitbit Surge for 8 months.
After defending its researcher, Fortinet explained:
There are three steps to seeing this go from ‘proof of concept’ to a problem in the wild:
1. Upload malicious code to any Fitbit wristband in close range.
2. Automatically transmit the code from the Fitbit wristband to any computer that connects to it (via the Fitbit dongle).
3. Have the code be executed by the connected computer.
Fortinet researchers demonstrated and verified steps 1 and 2. Step 3 would rely on exploiting a vulnerability in the computer to which the Fitbit wristband was synced, which was out of the scope of our research.
To date, we are not aware of an exploit that would enable this third step, nor did we actively look for one. However, we would caution against working under the assumption there is no such exploit possible, now or in the future.
The security issue was discovered in January 2015, vetted internally, and then responsibly disclosed to Fitbit on February 13. After Fitbit replied in March, “Fortinet provided details to Fitbit to fix the vulnerability."
If it's not a workable vulnerability, then from the perspective of being a Fitbit owner that would be great. But it sure seems like someone with more malicious intent than Apvrille could potentially exploit it. If Fitbit chose not to patch the vulnerability – whether it was considered unlikely, because the hack wasn’t followed through to demonstrate the true evilness of its capabilities, or some other reason – it would seem wise to push a fix now.
Fitbit maintains it is concerned with data privacy and security, but it has not seen the data to prove it's possible to use a tracker to distribute malware; the company encourages researchers to “report any security concerns” via firstname.lastname@example.org.