Security Firm Researcher Claims She Hacked Into Fitbit Tracker In 10 Seconds
SAN FRANCISCO (CBS Sacramento) -- A security researcher claims she was able to hack into a Fitbit tracker in 10 seconds.
CBS News reports Axelle Apvrille of Fortinet demonstrated at the Hacktivity Conference in Budapest the tracker could be infected with malware which could be passed on to the wearer's computer, just by taking advantage of the wearable's open Bluetooth connection.
"She showed that the Fitbit firmware has vulnerabilities that allowed her to plant arbitrary bytes into the Fitbit, those bytes then being 'reflected' to a computer talking to a Fitbit," Guillaume Lovet, senior manager at Fortiguard, which is part of Fortinet, told CBS News.
Apvrille showed the conference she was able to manipulate the tracker's data by bumping up the number of tracked steps or distance covered. She then showed she could send a payload over Bluetooth to the wireless Fitbit tracker. The tracker then transmits that payload to the wearer's computer when syncing the day's activities.
"She did not go as far as making a malicious payload with those bytes, that would exploit the computer (and plant some malware in it), but it is theoretically possible to do that," Lovet told CBS News.
CBS News reports Aprville alerted the San Francisco-based Fitbit to the vulnerability in March. Fitbit said in a statement that Fortinet's hacking claims are false.
"On Wednesday, October 21, 2015, reports began circulating in the media based on claims from security vendor Fortinet that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users' devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required," a Fitbit spokesperson explained to CBS News.
The spokesperson also said the company has "maintained an open channel of communication with Fortinet" since Apvrille contacted them.
"We have not seen any data indicate that it is possible to use a tracker to distribute malware," the spokesperson told CBS News.
