Popular Fitbit devices are vulnerable to hackers, according to a new study that reveals how personal information can be stolen from the fitness bands.
Computer researchers at the University of Edinburgh intercepted messages from the Fitbit One and Fitbit Flex wristbands, which calculate activity including steps, distance travelled, calories burned and sleep duration.
The team accessed personal information from the devices as it was sent to the company's cloud servers for analysis. The researchers said the problem could be used to falsify activity records or steal personal data. Fitbit secures its devices with end-to-end encryption, which means messages are scrambled in transit and are only deciphered once they reach their destination. But the University of Edinburgh study showed the security measures can be circumvented. The researchers modified the Flex and One to let them bypass encryption and access information stored on the devices.
"Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology," said Dr Paul Patras, from the University of Edinburgh's School of Informatics. Dr Patras added that hackers could use the method to steal health data and possibly blackmail users. "They could extract information and say you're not as active as you say you are," he said. "Or use the data for other nefarious purposes."
Fitbit has updated its software to fix the security problems and enhance privacy for its customers. "We welcome Fitbit's receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services," said Dr Patras.
Fitbit said it has used end-to-end encryption since 2016 and is committed to keeping its customers' information secure. "We are always looking for ways to strengthen the security of our devices, and in the upcoming days will start rolling out updates that improve device security, including ensuring encrypted communications for trackers launched prior to Surge," said Fitbit. "The trust of our customers is paramount and we carefully design security measures for new products, continuously monitor for new threats, and diligently respond to identified issues."
Previous research has shown how Fitbit devices can be hacked. Security firm Fortinet showed in 2015 how malicious software could be downloaded onto Fitbit trackers without the user noticing. Fitbit denied the possibility.
Download SafeUM — communicate privately, without advertising and spam.
