SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
23 Oct 2015

Fitbit trackers can be hacked in 10 seconds

A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath.

The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.

Attacks over Bluetooth require an attacker hacker to be within metres of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise. Fortinet researcher Axelle Apvrille (@cryptax) told Vulture South that full persistence means it does not matter if the FitBit Flex is restarted; any computer that connects with the wearable can be potentially infected with a backdoor, trojan, or whatever the attacker desires. (Of course, the malicious code stashed on the gadget must find a way to execute on the connected PC, but that's an exercise left to the reader.)

"An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near," Apvrille says. "[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.

"From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits)." It is the first time malware has been viably delivered to fitness trackers.

The attack vectors are still present. Apvrille warned FitBit in March and says the company considers it a bug which will be squashed at some point. Apvrille, a respected malware researcher, will offer a proof-of-concept demonstration video at the Hack.Lu conference in Luxembourg tomorrow. "The video demonstrates that the infection persists over multiple messages," she says. "Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code." Apvrille has pulled off other hacks; she is able to manipulate the number of counted steps and logged distance to earn badges that can be traded in for discounts and prizes.

Those badges can be turned into discounts and gifts through third-party companies such as Higi which in April launched an API to help companies receive health data derived from wearables. Apvrille has reversed 24 messages from the Fitbit tracker and 20 from the USB Bluetooth dongle as part of the largely ground-up reverse engineering work since the devices are closed-source and do not come with documentation on software internals.

She says communication is over XML and Bluetooth Low Energy while encryption and decryption occurs on the wearable device, and not on the dongle which is "outside of the security boundaries". The communications data sets are divided into "mega dumps" that include walking steps and user activity information, and "micro dumps" which relate to pairing, server responses, and device identifiers.

The work adds new information on the low-level software internals of Fitbit to an existing repository of work built by fellow researchers. It is not the first security blunder for the fitness strap. In 2013 researchers were able to fake login information to access any Fitbit account thanks to then lax authentication checks, allowing attackers to earn prizes. And in 2011 the sexual activities of users were publicly spewed over web searches revealing whether those who had engaged in "vigorous" or “passive and light” efforts.

Dumb hacks exist that allow the lazy to trick the sensors into thinking steps are being taken. In 2013 some researchers tied Fitbits to a car tyre and drove 16km/h to simulate steps. Fitbit's been in touch to say it "... is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware. We will continue to monitor this issue.

"Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware." The researcher delivering the talk we reported has since pointed out, in tweets like the one below, that the attack is a proof of concept, theoretical, and not something that's in the wild.

Tags:
information leaks Bluetooth
Source:
The Register
2288
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015