Fitbit Vulnerability Means Your Tracker Could Spread Malware

Outsmart Malicious Hackers


So it seems there is a Fitbit vulnerability involving the BlueTooth implementation that can be used to embed self replicating malware onto the wearable fitness tracker. I actually own a Fitbit, and have had previous models too, so this is quite interesting to me.

Fitbit Vulnerability Means Your Tracker Could Spread Malware

The malware could spread to your PC/Laptop if you’re using the syncing dongle, or to other Fitbit trackers. From what I’ve read of it though, it’s mostly theoretical. It could work under some circumstances, but there’s no real live code out there infecting Fitbit devices and spreading itself.

A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath.

The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.

Attacks over Bluetooth require an attacker hacker to be within meters of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.

Fortinet researcher Axelle Apvrille (@cryptax) told Vulture South that full persistence means it does not matter if the FitBit Flex is restarted; any computer that connects with the wearable can be infected with a backdoor, trojan, or whatever the attacker desires.

“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille says.

“[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.

“From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”

It is the first time malware has been viably delivered to fitness trackers.


You can see the video of the PoC here – FitBit malware injection by Axelle Apvrille.

It’s an interesting area for sure, wearable security – along with the whole Internet of Things movement, it could be one the next security/privacy frontiers. Imagine in urban, high density areas, there must be literally thousands of these devices within close proximity to each other.

The rate a real worm could spread, would be quite scary.

The attack vectors are still present. Apvrille warned FitBit in March and says the company considers it a bug which will be squashed at some point.

Apvrille, a respected malware researcher, will offer a proof-of-concept demonstration video at the Hack.Lu conference in Luxembourg tomorrow.

“The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.”

Apvrille has pulled off other hacks; she is able to manipulate the number of counted steps and logged distance to earn badges that can be traded in for discounts and prizes.

Those badges can be turned into discounts and gifts through third-party companies such as Higi which in April launched an API to help companies receive health data derived from wearables.

Apvrille has reversed 24 messages from the Fitbit tracker and 20 from the USB Bluetooth dongle as part of the largely ground-up reverse engineering work since the devices are closed-source and do not come with documentation on software internals.

She says communication is over XML and Bluetooth Low Energy while encryption and decryption occurs on the wearable device, and not on the dongle which is “outside of the security boundaries”.

The communications data sets are divided into “mega dumps” that include walking steps and user activity information, and “micro dumps” which relate to pairing, server responses, and device identifiers.

The work adds new information on the low-level software internals of Fitbit to an existing repository of work built by fellow researchers.

It’s a bit sad that Fitbit has known about this since March, but the vector isn’t fixed. They do say they will fix it, but there’s no timeline as to when.

I hope the bad guys don’t pick this up and run with it. I’m personally pretty safe, as there’s a very low penetration of wearables where I am, but it could be terrible for the industry as a whole.

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking, Malware


Latest Posts:


BootStomp - Find Bootloader Vulnerabilities BootStomp – Find Android Bootloader Vulnerabilities
BootStomp is a Python-based tool, with Docker support that helps you find two different classes of bootloader vulnerabilities and bugs.
Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018 Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018
Google is ramping up its campaign against HTTP only sites and is going to mark ALL Non-HTTPS sites insecure in July 2018 with the release of Chrome 68.
altdns - Subdomain Recon Tool With Permutation Generation altdns – Subdomain Recon Tool With Permutation Generation
Altdns is a subdomain recon tool in Python that allows for the discovery of subdomains that conform to patterns. The tool takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
0-Day Flash Vulnerability Exploited In The Wild 0-Day Flash Vulnerability Exploited In The Wild
So another 0-Day Flash Vulnerability is being exploited in the Wild, a previously unknown flaw which has been labelled CVE-2018-4878 and it affects 28.0.0.137 and earlier versions
dorkbot - Command-Line Tool For Google Dorking dorkbot – Command-Line Tool For Google Dorking
dorkbot is a modular command-line tool for Google dorking, which is performing vulnerability scans against a set of web pages returned by Google search queries in a given Google Custom Search Engine.
USBPcap - USB Packet Capture For Windows USBPcap – USB Packet Capture For Windows
USBPcap is an open-source USB Packet Capture tool for Windows that can be used together with Wireshark in order to analyse USB traffic without using a Virtual Machine.


One Response to Fitbit Vulnerability Means Your Tracker Could Spread Malware

  1. Corey Nachreiner October 22, 2015 at 3:15 am #

    If I’m interpreting the PoC video right, it looks like there’s only 7-Bytes of controllable code the attack persistently leaves on the fitbit… 7-bytes isn’t a lot to work with, as far as transfering some malware to a PC… I assume that 7-bytes gets sent when the fitbit sends bluetooth packets to the PC with the fitbit app… still unclear on how this forces malware on the PC.

    In any case, this is just a preview… I think The actual hack.lu presentation is tomorrow.