Fitbit health trackers can be hacked in just 10 seconds

Business Insider ^ | October 21, 2015 09:00 am | by Max Slater-Robins

[Swordmaker]

FitbitFitbit offer a range of fitness wearables.

Fitbit wearables can be hacked in 10 seconds, allowing the intruder to infect any PC connected to it, The Register reports. 

Fitbit make a series of wearable devices that measure health statistics, such as blood pressure and heart rate. All of the information is then passed onto an online hub. 

The hack, which Fitbit was made aware of in March, uses the open Bluetooth connection of a Fitbit wearable. Through this, a hacker could dump malware onto the wearable which would then be transferred to any computer the Fitbit came into contact with.

The ease of delivery — the attack can be completed in under 10 seconds — means that hackers can easily gain access to a computer via the Fitbit device, potentially wrecking havoc. 

According to researcher Axelle Apvrille "[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code."  

[Swordmaker]

Word of warning. . . Fitbit wearables can be hacked in just 10 seconds and then carry malware to the computers they link to by Bluetooth connections. This is not a good development. — PING!

Ping to dayglored, Shadow Ace, ThunderSleeps for your ping lists.

Fitbit Security 10 Second Hacking
Warning Ping!

The Latest Apple/Mac/iOS Pings can be found by searching Keyword “ApplePingList” on Freerepublic’s Search.

If you want on or off the Mac Ping List, Freepmail me.

[nickcarraway]

But what can you do if you hack a Fitbit? Make people think the only walked 2000 steps, when they really walked 4000?

[jsanders2001]

> But what can you do if you hack a Fitbit? Make people think the only walked 2000 steps, when they really walked 4000?

yeah my thoughts too...what use is it to hack one really. Someone just did it to see if they could. They must've owned one.

[Pontiac]

I believe that what the hacker does is turn the Fitbit in to a Trojan Horse that delivers code to your computer that will then give the hacker access to your computer. Possibly sending your personal data to the hackers computer or maybe just insert code to erase your hard drive.

[nickcarraway]

Aha. Okay. Well, I am guessing if a hacker can do that he has serious skillz.

[Pontiac]

Thinking about it some more it seems to me that Fitbit was fairly security stupid if they set up their product to have the Bluetooth always on and to have it pair with any device in range.

Any Bluetooth device should always ask the owner if it should accept pairing.

I haven’t had that many Bluetooth devices but they have all been set up that way with the exception of a Bluetooth telephone earbud but it did not have any data to share.

[jsanders2001]

> I believe that what the hacker does is turn the Fitbit in to a Trojan Horse that delivers code to your computer that will then give the hacker access to your computer. Possibly sending your personal data to the hackers computer or maybe just insert code to erase your hard drive.

After so many battles with viruses and tojan horses on my own computer that have probably made me spend hundreds of hours fixing them it makes me want to slap the living crap out of 'em and their parents for creating such monsters. I know its probably boredom that drives them to do such things but why don't they create viruses that do good things to your computers?

[Blue Jays]

A good reason to keep a Fitbit device in a pocket rather than plainly visible.
One would think the hacker must be in close proximity to take advantage of the vulnerability.

[SauronOfMordor]

Part of me wonders if at least some of these stupid vulnerabilities were deliberately put there, at the request of some government agency (domestic or foreign) .

[Pontiac]

I know its probably boredom that drives them to do such things but why don't they create viruses that do good things to your computers?

I have often wondered if destruction is not man’s first nature rather than creation.

Think about any little boy with a set of building blocks. Is it not the first thing he does after building something to knock it down?

And if one little boy sees another build something doesn’t he wait until it is finished and then run up and knock down the first boys structure and laugh.

Also more to the point; if someone does something to your computer without your consent isn’t it malicious regardless of whether it is a positive change or not?

[Pontiac]

Well they have asked for backdoors to systems in the past.

[palmer]

Through this [bluetooth connection], a hacker could dump malware onto the wearable which would then be transferred to any computer the Fitbit came into contact with.

There are two required steps. First to exploit a vulnerability in the fitbit to place malware on it. Second to exploit a different vulnerability on the PC or laptop to transfer other malware to it.

They don't explain the first step, and it would probably involve a complete reflash of the fitbit firware with a very low probability of success. Much more likely to produe a fitbrick. Second they have not described even the slightest notion of a suitable PC or laptop exploit via bluetooth. While I'm sure something is possible, it is not going to be very general or easy to engineer. Most likely these researchers have no idea how they would hop from the fitbit onto an arbitrary chosen host OS. Left that as an exercise.

[Bob]

They could make it look like you’ve taken 100,000 steps and cause you to collapse from exhaustion. :=)

[conservatism_IS_compassion]

"potentially wrecking havoc”

“I don’t think that word means what you think it means.”

wreck :

the destruction of, esp. a ship at sea. (noun)

wreak :

cause (a large amount of damage). (verb)

</spelling/grammar nazi mode>

[freedomlover]

I zee what you did there

[conservatism_IS_compassion]

LOL!