Owners of Fitbit's Aria internet-connected smart scales are being advised to install a firmware patch following the discovery of critical security flaws.
Tavis Ormandy of Google's Project Zero was credited with finding the vulnerabilities in the Wi-Fi cyber-scales. While Fitbit isn't providing specific details on the nature of the flaws, it says that, in general, "critical" issues are those which "if exploited could allow attacker-supplied code to gain unrestricted access and potentially go undetected by the customer."
Fitbit is right now pushing out the critical patch, and folks are advised to update their Aria scale firmware as soon as possible to prevent attacks. The scales should automatically get the update within the next few days, though their owners can also check for updates through the FitBit dashboard tool.
In addition to weight, the Aria also logs and transmits information on the user's body fat percentage and body mass index (BMI) to Fitbit's cloud. The data is then synched with the user's online FitBit profile. Apparently, the scale hack isn't weighing too heavily on the mind of Ormandy.
In a statement, Fitbit told:
Although we are not aware of any security incidents related to these findings, as soon as Fitbit was informed of the potential issue, we worked on a solution to address it. We are pleased to report that a fix to this issue has been developed and released. All users with an Aria Wi-Fi scale that is paired to an account, has recently synced to Fitbit, and has healthy batteries will automatically receive the firmware update.
Please note that firmware updates are installed overnight and it may take a few days for scales to receive an update. If users are concerned that their scale has not yet updated, they may wish to add fresh batteries to the scale or contact Fitbit Support for assistance.
While a scale hack is a relatively lightweight issue, it opens up the long-standing fears over security flaws in the bloating ranks of Internet of Things hardware. With more companies hooking their appliances up to the internet, security researchers are finding tons of new holes in connected devices that allow for everything from the remote control of appliances to the ability to siphon off personal information. The issue has become so heavy that the US government has had to weigh in on the matter and offer its own recommendations.
