Back in August ,we reported that fitness trackers are shockingly vulnerable to being hacked. At the time, an independant study done by the AV Institute showed how common fitness wearables have more holes than swiss cheese. The FitBit Charge (which, yup I’m still wearing now) performed abysmally, ranking out with one of the lowest security ratings.
The prevailing fear then was regarding data encryption, or lack thereof. That a potential hacker could find out how many steps you walked between 2:00 – 3:00 on July 23rd. Or how many calories you burned last Tuesday at that new trampoline park. Unsettling and weird, but not too damaging as far as these things go.
Well now, as the register.com has reported, a security researcher with Fortinet, Axelle Apvrille has discovered that your FitBit’s Bluetooth capablities can be used to launch full-blown malware attacks on any computer it’s connected to. In order to carry out the attack the hacker has to be within a few meters of the device. All the hacker needs to do is to connect via Bluetooth with the target and within 10 seconds the connection and infiltration is established, making even quick encounters dangerous.
The register.com quotes Aprville saying “An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near.” Then when the user uploads their information to the connected computer, the infected code is sent along as well, installing backdoors, trojans or whatever the creator had in mind.
At the moment, the vulnerability is still wide open so the best way to avoid exploitation is to be aware of your surroundings as you wear your FitBit or to dump the Bluetooth feature all together though that would severely limit its functionality.
Aprville has notified the makers of FitBit of the vulnerability and they said will take measures to fix the hole at “some point”. Meanwhile she will be presenting the information at the Hack.lu security convention tomorrow, Oct 22, in Luxembourg.