​Fitbit tracker hacked in 10 seconds

When Axelle Apvrille presented her Fitbit hack at the Hacktivity Conference in Budapest earlier this month, she was amused that several audience members were sporting the fitness trackers during her talk.

The Fortinet security researcher demonstrated how, within a matter of just 10 seconds, a Fitbit could be infected with malware that could then be passed on to the wearer's computer. The hack takes advantage of the wearable's open Bluetooth connection.

Apvrille first showed that she could reverse engineer the band's protocol to manipulate data, bumping up the number of tracked steps or distance covered. From there she (ahem) stepped it up by demonstrating that she could send a payload over Bluetooth to the wireless tracker, which would then transmit that payload to a computer when syncing the day's activities.

Though a small payload -- just 17 bytes -- it would be enough for a Trojan, small virus or other piece of malicious software.

She didn't actually infect the devices, as this was a proof of concept demonstration.

"She showed that the Fitbit firmware has vulnerabilities that allowed her to plant arbitrary bytes into the Fitbit, those bytes then being, 'reflected' to a computer talking to a Fitbit," Guillaume Lovet, a senior manager at FortiGuard, part of Fortinet, told CBS News.

"She did not go as far as making a malicious payload with those bytes, that would exploit the computer (and plant some malware in it), but it is theoretically possible to do that," he explained.

What's more, it took just 10 seconds for Apvrille to connect to the wireless band and infect it, with no physical contact required. That means a hacker could sit next to you on a bench while you tighten your laces for a run and have plenty of time to do the deed.

Aprville, who alerted Fitbit to the vulnerability in March, presented her findings again at Luxemborg's Hack.lu event Wednesday.

"On Wednesday, October 21, 2015, reports began circulating in the media based on claims from security vendor Fortinet that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users' devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required," a Fitbit spokesperson told CBS News.

The company added that since Apvrille contacted Fitbit in March, "we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware."

This story was updated with a statement from Fitbit.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.