Fitbit wearables can be hacked in 10 seconds, allowing the intruder to infect any PC connected to it, according to a report inThe Register.
Fitbit makes a series of wearable devices that measure health statistics, such as blood pressure and heart rate. All of the information is then passed onto an online hub.
The hack, which Fitbit was made aware of in March, uses the open Bluetooth connection of a Fitbit wearable. Through this, a hacker could dump malware onto the wearable which would then be transferred to any computer the Fitbit came into contact with.
The ease of delivery — the attack can be completed in under 10 seconds — means that hackers can easily gain access to a computer via the Fitbit device, potentially wrecking havoc.
According to researcher Axelle Apvrille at Fortinet: “[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.”
Apvrille plans to demo the hack at the Hack.Lu conference in Luxembourg.
But Fitbit has disputed the vulnerability, telling Business Insider that it believes “security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware”.
A Fitbit spokesperson said:
Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to [email protected] More information about reporting security issues can be found online at https://www.fitbit.com/security/.”