Hackers Can Wirelessly Upload Malware to a Fitbit in 10 Seconds

By Adam Clark Estes on at

Wearables are like hacker candy. They represent a new category of technology that’s capable of storing data—including malware—that people don’t expect to get pwned. But that’s exactly what just happened: Hackers figured out how to remotely upload malware to a Fitbit. It only takes ten seconds.

Hack.Lu conference in Luxembourg tomorrow, said hackers will demonstrate a method for wirelessly loading malware onto a Fitbit Flex fitness tracker. The Register reports that this is “the first time malware has been viably delivered to fitness trackers.” Fortinet researcher Axelle Apvrille helped come up with the exploit and explains it it horrifying terms:

An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near.

[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile… the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.

It doesn’t sound like a big deal for a fitness tracker to be tainted with code. That is, until you remember that people plug these things into their computers. Apvrille continues:

From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers [Fitbits].

When you think about it, the little accessories are the perfect delivery system for malware. Unlike a USB stick, people probably don’t expect their fitness trackers to be a target for hackers.

The really frustrating thing about this exploit is the fact that Fitbit’s known about the vulnerability since March when the Fortinet researchers contacted them, but the company still hasn’t fixed it. Now that details are out in the open, let’s hope Fitbit ups its security game. In the meantime, maybe just leave that gadget at home. [The Register]