According to the Register, Fortinet researchers have claimed that the quick attack can deliver malware over Bluetooth in a few seconds, which can give the hacker remote access to the computer your Fitbit connects to. Additionally, once infected, the malware can propagate itself in the same manner to other FitBit devices that cross its Bluetooth range.
Advertisement
Further, she said that the tracker can be hacked without physically compromising it.
Though she didn’t infect the device she demonstrated on with an actual, real piece of malware or virus, she claimed that the payload she could send was sufficiently large to do so (17 bytes), despite being quite small compared to today’s data storage and transfer capabilities.
Guillaume Lovet, a senior manager at FortiGuard, part of Fortinet, also confirmed the hack, telling CBS News that Apvrille had managed to show “that the Fitbit firmware has vulnerabilities that allowed her to plant arbitrary bytes into the Fitbit, those bytes then being, “reflected” to a computer talking to a Fitbit”.
Research by network security company Fortinet revealed that a Fitbit fitness tracker can be hacked quickly due to a vulnerability linked to Bluetooth ports, and then is spread to other computers to which the gadget is connected.
Reports are circulating that Fitbit bands can be hacked – but users of the fitness tracker shouldn’t fret. The file hidden in the Fitbit would remain even if the device was restarted, and could be sent to it in just 10-seconds, so it could happen when you’re passing someone in the street.
This was not Fitbit’s first security debacle. Apvrille emphasized that the vulnerability she discovered represented only a proof of concept.
Previous to this, FitBit was in the news for two other security incidents.
Apvrille informed Fitbit about the exploit in March 2015. It assures its users that the company will monitor this situation closely and is in contact with Fortinet regarding the issue.
Advertisement
“Since that time we’re maintained an open channel of communication with Fortinet”, Fitbit said. We have not seen any data to indicate that it is now possible to use a tracker to distribute malware.
