Pierluigi Paganini October 22, 2015

The security researcher Axelle Apvrille revealed that infect Fitbit trackers with a malware is too easy.

Axelle Apvrille has managed to infect FitBit Flex fitness tracker and uses them as infection vector to spread the malicious agent to any computers the devices are connected to.
The expert exploited a vulnerability in the Bluetooth that she discovered in March, despite the flaw was reported to the manufacturer it has yet to be patched.

Axelle Apvrille discovered that the popular FitBit Flex fitness trackers have the Bluetooth port open, this security issue could allow a nearby attacker to deliver an infected packet that is able to compromise the wearable object … in less than 10 seconds.

According to Apvrille, the rest of the attack occurs by itself, and the attacker doesn’t have to be near for that.

concerning that scenario of infecting a fitness tracker, it’s important to read the slide on limitations 1/ it’s a PoC, no malicious code

— Axelle Ap. (@cryptax) 21 Ottobre 2015

“[When] the victim wishes to synchronize his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code,” Axelle Apvrille explained to The Register.

“From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”

The wearable devices use proprietary technology, Axelle Apvrille searched for security issues by reverse-engineering the messages the device exchange the USB Bluetooth dongle.

The expert conducted a series of tests that allowed her to discover other security issues related to the on the Fitbit trackers, including the way to manipulate the information received by the devices, mimicking motion even when the Fitbit trackers are stopped.

Apvrille presented the findings of her research on the Fitbit trackers at the Hack.lu conference in Luxembourg .

Pierluigi Paganini

(Security Affairs – Fitbit trackers, IoT)

UPDATE October 23, 2015

I was contacted by a person on behalf of the Fitbit company that emailed  me the following statement that provides further info on the scenario described by the Apvrille.

“On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues.  We encourage individuals to report any security concerns with Fitbit’s products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.”