Technology / First ever fitness tracker malware can be delivered in ten seconds

First ever fitness tracker malware can be delivered in ten seconds

Malware can be loaded on to FitBit fitness trackers in just ten seconds, a security researcher has revealed.


Open Bluetooth ports in FitBit trackers allow attackers to connect to the devices within the distance of a few metres, and the hack can be completed in ten seconds.

The security flaw was discovered by renowned Fortinet malware researcher Axelle Apvrille (@cryptax), whose previous research demonstrated that it was possible to manipulate the steps and distances logged by wearable fitness trackers.

The attack then takes one minute to verify, for which the hacker would not need to remain nearby.

Apvrille revealed that when the user later wishes to synchronise their fitness data with FitBit’s servers, the malware is sent alongside the standard response.

She told The Register that after this step “it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers”.

Apvrille alerted FitBit to the latest flaw in March 2015, and presented her research at a conference earlier this week.

A proof-of-concept video of the hack is available on YouTube, but it has not yet been spotted in the wild.

According to reports, FitBit expects to issue a patch at a yet unspecified date. However, the wearables firm told The Register: “We believe that [these] security issues are false, and that Fitbit devices can’t be used to infect users with malware.

“Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet.

“We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware.

“We will continue to monitor this issue.”

This is not the first occasion where FitBit’s security has come into question. In 2013 researchers managed to fake login information, granting them access to any FitBit account, and in 2011 it inadvertently published details pertaining to its users’ sexual activity levels.

Photo © MorePix (CC BY-SA 3.0). Cropped.

TEISS banner

Get our latest features in your inbox

Join our community of business leaders