Fitbit health trackers can track your health but not only!
A vulnerability in a device that was reported back in March is still open, allowing hackers to easily exploit it. Fitbit is one of the most popular health-tracking devices allowing fitness lovers to track their achievements and level of health.
Wearables like Fitbit are mostly dependent on Bluetooth technology and therefore, a simple BT hack can insert a malware into a device which then can spread to other computers via sync data located on the health tracker.
According to Fortinet researcher Axelle Apvrille the attack is very quick and the malicious code can be sent without user’s knowledge. Hacker needs to maintain a distance of several meters to successfully initiate a cyber attack and it takes only 10 seconds.
As The Register reports in the interview with Vulture South, Axelle Apvrille (@cryptax), mentioned that the attack is a full persistence, meaning that malware will still be fully armed and active even if FitBit Flex is restarted.
“An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near. When the victim wishes to synchronize his or her fitness data with Fitbit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.”
FitBit reported that they have received this information from the cyber security researcher in March however, the company found it irrelevant and claimed that their devices were not vulnerable. Because of this claim Apvrille decided to create a video demonstration that you can have a look at below:
The proof-of-concept demonstration will be presented on Hack.Lu conference in Luxembourg too.
“The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.
The ‘malware delivery’ hack is not the only attack a respectable malware researcher was able to pull off.
She also claims that it is easy to manipulate a step count and distance store in a FitBit device, thus exchanging them for badges, discounts, and other prizes. The badges may be exchanged using third-party services like Higi.
If FitBit does not care about users becoming victims, then probably they will listen to this security researcher when it comes to prizes and discounts.
Have a safe Fitness activity!