Fitbit Vulnerability Means Your Tracker Could Spread Malware

Outsmart Malicious Hackers


So it seems there is a Fitbit vulnerability involving the BlueTooth implementation that can be used to embed self replicating malware onto the wearable fitness tracker. I actually own a Fitbit, and have had previous models too, so this is quite interesting to me.

Fitbit Vulnerability Means Your Tracker Could Spread Malware

The malware could spread to your PC/Laptop if you’re using the syncing dongle, or to other Fitbit trackers. From what I’ve read of it though, it’s mostly theoretical. It could work under some circumstances, but there’s no real live code out there infecting Fitbit devices and spreading itself.

A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath.

The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.

Attacks over Bluetooth require an attacker hacker to be within meters of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.

Fortinet researcher Axelle Apvrille (@cryptax) told Vulture South that full persistence means it does not matter if the FitBit Flex is restarted; any computer that connects with the wearable can be infected with a backdoor, trojan, or whatever the attacker desires.

“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille says.

“[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.

“From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”

It is the first time malware has been viably delivered to fitness trackers.


You can see the video of the PoC here – FitBit malware injection by Axelle Apvrille.

It’s an interesting area for sure, wearable security – along with the whole Internet of Things movement, it could be one the next security/privacy frontiers. Imagine in urban, high density areas, there must be literally thousands of these devices within close proximity to each other.

The rate a real worm could spread, would be quite scary.

The attack vectors are still present. Apvrille warned FitBit in March and says the company considers it a bug which will be squashed at some point.

Apvrille, a respected malware researcher, will offer a proof-of-concept demonstration video at the Hack.Lu conference in Luxembourg tomorrow.

“The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.”

Apvrille has pulled off other hacks; she is able to manipulate the number of counted steps and logged distance to earn badges that can be traded in for discounts and prizes.

Those badges can be turned into discounts and gifts through third-party companies such as Higi which in April launched an API to help companies receive health data derived from wearables.

Apvrille has reversed 24 messages from the Fitbit tracker and 20 from the USB Bluetooth dongle as part of the largely ground-up reverse engineering work since the devices are closed-source and do not come with documentation on software internals.

She says communication is over XML and Bluetooth Low Energy while encryption and decryption occurs on the wearable device, and not on the dongle which is “outside of the security boundaries”.

The communications data sets are divided into “mega dumps” that include walking steps and user activity information, and “micro dumps” which relate to pairing, server responses, and device identifiers.

The work adds new information on the low-level software internals of Fitbit to an existing repository of work built by fellow researchers.

It’s a bit sad that Fitbit has known about this since March, but the vector isn’t fixed. They do say they will fix it, but there’s no timeline as to when.

I hope the bad guys don’t pick this up and run with it. I’m personally pretty safe, as there’s a very low penetration of wearables where I am, but it could be terrible for the industry as a whole.

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking, Malware


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


One Response to Fitbit Vulnerability Means Your Tracker Could Spread Malware

  1. Corey Nachreiner October 22, 2015 at 3:15 am #

    If I’m interpreting the PoC video right, it looks like there’s only 7-Bytes of controllable code the attack persistently leaves on the fitbit… 7-bytes isn’t a lot to work with, as far as transfering some malware to a PC… I assume that 7-bytes gets sent when the fitbit sends bluetooth packets to the PC with the fitbit app… still unclear on how this forces malware on the PC.

    In any case, this is just a preview… I think The actual hack.lu presentation is tomorrow.