back to article '10-second' theoretical hack could jog Fitbits into malware-spreading mode

A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath. The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and …

  1. Anonymous Coward
    Anonymous Coward

    Interesting

    Wonder if this hack could be used to make lost Fitbits turn on their BLE in continuous ie beacon mode so you can find lost units?

    Not that it would help now as the battery probably went flat about a week ago.

  2. Mystic Megabyte
    Unhappy

    Bah!

    A better hack would be one that gives joggers a large electric shock or teleports them to the Gobi desert. Preferably both! (Annoyed at joggers running three abreast on narrow paths, making me get out of the way)

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah!

      How do they make you get out of the way? You have a right to 'around' half the path, just as a car on a road without a marked centerline. To be polite you should move over to the edge of the path but you should not feel as though you need to move off it. It is on them to adjust and move their group to the side enough to pass, or single file. They can't force you to move, your problem is that you're not asserting your equal rights to the path.

      It sounds like your dislike of joggers is a projection of your subconscious recognition of your own weakness in not asserting yourself. They aren't making you move, you are letting them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bah!

        It sounds like your dislike of joggers is a projection of your subconscious recognition of your own weakness in not asserting yourself.

        Wow.

        I am sure that after you pick yourself up off the floor, you would be completely in your rights to argue with the three three joggers about who had right of way etc. However, most humans will step out of the way.

  3. oneeye

    Too bad Apriville's demonstration does not include a live hacking of Fitbits CEO or other prominent members! That would be hilarious!

  4. Pascal Monett Silver badge

    "the company considers it a bug which will be squashed at some point"

    One question : is that point when sales have hit the floor because nobody trusts the product any more, or some time before that ?

    The ability to mod the numbers or something is amusing (for us anyway, for companies paying out based on false numbers, not so much), this is not a critical piece of equipment after all. But the ability to root a computer with it is not amusing at all. Technically, even people that don't have a FitBit could be at risk. That is not good.

  5. Zog_but_not_the_first
    IT Angle

    This is a non-problem

    Because most Fitbits will be lying at the back of a drawer.

  6. Anonymous Coward
    Thumb Up

    Phew

    And in 2011 the sexual activities of users were publicly spewed over web searches revealing whether those who had engaged in "vigorous" or “passive and light” efforts.

    Fortunately I wear my FitBit on my left wrist.

    1. Captain DaFt

      Re: Phew

      So we get informed on how often you cheat on your right hand then?

    2. PrivateCitizen

      Re: Phew

      I am glad you understood that sentence. It seemed to me that a crucial word or two were missing.

    3. Anonymous Coward
      Anonymous Coward

      Re: Phew

      You owe me a new keyboard @Smooth Newt.

      Preferably waterproof this time, attached to a Toughbook would be nice.

      I wonder what other useful data could be extracted from these things? had a thought about using them to track suspicious BTLE devices such as rogue access points sharing the same spectrum, also for locating missing persons.

      Little factoid, the battery on Fitbits though rated for 8 days max will actually last as long as 19 days if the owner does not use it or is immobile.

  7. disgruntled yank

    steps?

    At 16 KPH, they might have been my steps once upon a time, but they sure aren't now.

    But here is an idea for the next disruptive app: tie in your FitBit results to the Instagram pictures you are posting of all your meals (aren't you?), and evaluate the probability that you are faking in your Facebook photos. Note to VCs wishing to contact me: I'll wear cargo pants tomorrow to accommodate the cash you wish to stuff in my pockets.

  8. Anonymous Coward
    Anonymous Coward

    Coming soon: a government approval process for electronic devices

    It won't work--it would be worse if it did--but that won't stop it from coming.

  9. Charles Manning

    Can infect any computer it connects to

    Bullshit

    An RPI is a computer. I 100% guarantee it cannot infect an RPi merely by connecting to it.

    Maybe Windows computers, but I'm not going to investigate that.

  10. Anonymous Coward
    Anonymous Coward

    "she is able to manipulate the number of counted steps and logged distance"

    Whoopee doo. My nephew managed to get a step counter to 10,000 just by shaking it.

  11. santalovincruz

    What I don’t understand is the company’s lack of response to earlier vulnerability reports in early 2014 and 2013 by researchers at two different universities and/or the company's lack of internal controls to capably discover and mitigate possible breaches:

    From 2014: http://courses.csail.mit.edu/6.857/2014/files/17-cyrbritt-webbhorn-specter-dmiao-hacking-fitbit.pdf

    “This report describes an analysis of the Fitbit Flex ecosystem. Our objectives are to describe (1) the data Fitbit collects from its users, (2) the data Fitbit provides to its users, and (3) methods of recovering data not made available to device owners.

    Our analysis covers four distinct attack vectors. First, we analyze the security and privacy properties of the Fitbit device itself. Next, we observe the Bluetooth traffic sent between the Fitbit device and a smartphone or personal computer during synchronization. Third, we analyze the security of the Fitbit Android app. Finally, we study the security properties of the network traffic between the Fitbit smartphone or computer application and the Fitbit web service.

    We provide evidence that Fitbit unnecessarily obtains information about nearby Flex devices under certain circumstances. We further show that Fitbit does not pro- vide device owners with all of the data collected. In fact, we find evidence of per-minute activity data that is sent to the Fitbit web service but not provided to the owner. We also discovered that MAC addresses on Fitbit devices are never changed, enabling user- correlation attacks. BTLE credentials are also exposed on the network during device pairing over TLS, which might be intercepted by MITM attacks. Finally, we demonstrate that actual user activity data is authenticated and not provided in plaintext on an end-to-end basis from the device to the Fitbit web service

    From 2013:

    https://gigaom.com/2013/04/24/keeping-fitbit-safe-from-hackers-and-cheaters-with-fitlock/

    “The fusion of social networks and wearable sensors is becoming increasingly popular, with systems like Fitbit automating the process of reporting and sharing user fitness da ta. In this paper we show that while compelling, the careless integration of health data into social networks is fraught with privacy and security vulnerabilities. Case in point, by reverse engineering the communication protocol, storage details and operation codes, we identified several vulnerabilities in Fitbit (abstract link in attached article)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like