A SECURITY RESEARCHER has shown off a proof-of-concept hack on the Fitbit fitness-monitoring device that could make people think they've walked further than they actually have, and potentially employ malware.
The are a number of reports about the threat, along with a series of tweets and a video of the attack in action. Fitbit says that the whole thing is a bit of a no starter.
Axelle Apvrille, a researcher at security firm Fortinet, is the bean spiller and the apparent source of the video. Apvrille showed off the method at the Hack.lu event in Luxemburg this week.
"Fitbit Flex is a fitness wristband which records your fitness activity: walking, running and sleep efficiency. Since prior infamous security and privacy issues, such as public web disclosure of sexual activity, Fitbit has made significant progress," is the official introduction from Apvrille.
"While reverse engineering, we noticed trackers now use end-to-end encryption for their communications with Fitbit servers. Is this good? Or bad? What happens if Fitbit servers are unreachable? What can we possibly do with the wristband besides activity tracking? I'll present two alternative geeky uses for your beloved fitness tracker."
Apvrille describes herself as an antivirus researcher with a particular interest in the world of "strange, advanced or unexpected non-desktop malware".
The results of a successful attack on a Fitbit device may not be catastrophic. One of the threats, according to the report, is that a person's step count could be manipulated. Such manipulation needs proximity and the attack relies on Bluetooth to make its impact felt.
"You don't need physical access (to the tracker), but you do need to be close," Apvrille told Engadget, adding that once the wrist device is infected it doesn't take much of a leap to hit desktops.
"An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance, then the rest of the attack occurs by itself without any special need for the attacker being near."
Fitbit has been in touch to make us all feel unhealtby and to addresss some issues with the article.Fitbit has responded to us and the situation, and it says that all is in hand, adding that even if it wasn't it wouldn't be that bad anyway.
It suggests that even Avrille will not stand by claims that a real life attack is possible, adding that any risk here is a theoretical one.
"On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false," it said.
"In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required."
The firm added, in case we missed it, that there is no threat of unwanted malware, explaining that there is no evidence of that.
"As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware," it explained.
"We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit's products or online services." µ
Nice of them to mention it
Snap's security measures clearly lacked a filter in this case
Acquisition could make the company too big a buy for Broadcom
Firm says its 'on its way' to creating first-ever physical product