Update – Fitbit’s full statement can be found below.
If you have a Fitbit tracker, here’s a bit of troubling news. According to security research Axelle Apvrille, it seems that Fitbit’s series of fitness trackers have a vulnerability that leaves them open to being hacked. In fact the hole is big enough where the hack appears to be relatively simple and will only take 10 seconds to accomplish.
Basically it will need is for the attacker to be within Bluetooth distance of the Fitbit device in order to send the hack. According to Apvrille, “[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”
What this means is that not only will your Fitbit be infected, but it will also infect computers that it comes in contact with, and could also potentially infect other Fitbit devices. According to Apvrille, she had informed Fitbit of the vulnerability back in March but apparently the company had dismissed it as a bug that would be addressed in a later update, but to date it seems that the vulnerability is still present. You can see how the hack in action in the video above.
“On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.
As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to email@example.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.”