Please Try again!
expand

Hackers Can Wirelessly Upload Malware to a Fitbit in 10 Seconds

Hackers Can Wirelessly Upload Malware to a Fitbit in 10 Seconds
Security

Hackers Can Wirelessly Upload Malware to a Fitbit in 10 Seconds

Wearables are like hacker candy. They represent a new category of technology that's capable of storing data-including malware-that people don't expect to get pwned. But that's exactly what just happened: Hackers figured out how to remotely upload malware to a Fitbit. It only takes ten seconds.

Hack.Lu conference in Luxembourg tomorrow, said hackers will demonstrate a method for wirelessly loading malware onto a Fitbit Flex fitness tracker. The Register reports that this is "the first time malware has been viably delivered to fitness trackers." Fortinet researcher Axelle Apvrille helped come up with the exploit and explains it it horrifying terms:

An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near.

[When] the victim wishes to synchronize his or her fitness data with FitBit servers to update their profile... the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.

It doesn't sound like a big deal for a fitness tracker to be tainted with code. That is, until you remember that people plug these things into their computers. Apvrille continues:

From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers [Fitbits].

When you think about it, the little accessories are the perfect delivery system for malware. Unlike a USB stick, people probably don't expect their fitness trackers to be a target for hackers.

The really frustrating thing about this exploit is the fact that Fitbit's known about the vulnerability since March when the Fortinet researchers contacted them, but the company still hasn't fixed it. Now that details are out in the open, let's hope Fitbit ups its security game. In the meantime, maybe just leave that gadget at home.

[The Register]


Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22A8

Congress Is Trying to Ban Car Hacking In Every Possible FormNext StoryCongress Is Trying to Ban Car Hacking In Every Possible Form

Also on Gizmodo

Comments ()

X
Sort By:

TIMES GLOBAL PARTNERS

Times Global Partners is an initiative focused on partnering with Established and Emerging Global Digital Companies for growing their presence and business in India through growth in their Brand, audience, adoption, distribution and monetization.