So it seems there is a Fitbit vulnerability involving the BlueTooth implementation that can be used to embed self replicating malware onto the wearable fitness tracker. I actually own a Fitbit, and have had previous models too, so this is quite interesting to me.
The malware could spread to your PC/Laptop if you’re using the syncing dongle, or to other Fitbit trackers. From what I’ve read of it though, it’s mostly theoretical. It could work under some circumstances, but there’s no real live code out there infecting Fitbit devices and spreading itself.
A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath.
The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.
Attacks over Bluetooth require an attacker hacker to be within meters of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.
Fortinet researcher Axelle Apvrille (@cryptax) told Vulture South that full persistence means it does not matter if the FitBit Flex is restarted; any computer that connects with the wearable can be infected with a backdoor, trojan, or whatever the attacker desires.
“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille says.
“[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.
“From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”
It is the first time malware has been viably delivered to fitness trackers.
You can see the video of the PoC here – FitBit malware injection by Axelle Apvrille.
It’s an interesting area for sure, wearable security – along with the whole Internet of Things movement, it could be one the next security/privacy frontiers. Imagine in urban, high density areas, there must be literally thousands of these devices within close proximity to each other.
The rate a real worm could spread, would be quite scary.
The attack vectors are still present. Apvrille warned FitBit in March and says the company considers it a bug which will be squashed at some point.
Apvrille, a respected malware researcher, will offer a proof-of-concept demonstration video at the Hack.Lu conference in Luxembourg tomorrow.
“The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.”
Apvrille has pulled off other hacks; she is able to manipulate the number of counted steps and logged distance to earn badges that can be traded in for discounts and prizes.
Those badges can be turned into discounts and gifts through third-party companies such as Higi which in April launched an API to help companies receive health data derived from wearables.
Apvrille has reversed 24 messages from the Fitbit tracker and 20 from the USB Bluetooth dongle as part of the largely ground-up reverse engineering work since the devices are closed-source and do not come with documentation on software internals.
She says communication is over XML and Bluetooth Low Energy while encryption and decryption occurs on the wearable device, and not on the dongle which is “outside of the security boundaries”.
The communications data sets are divided into “mega dumps” that include walking steps and user activity information, and “micro dumps” which relate to pairing, server responses, and device identifiers.
The work adds new information on the low-level software internals of Fitbit to an existing repository of work built by fellow researchers.
It’s a bit sad that Fitbit has known about this since March, but the vector isn’t fixed. They do say they will fix it, but there’s no timeline as to when.
I hope the bad guys don’t pick this up and run with it. I’m personally pretty safe, as there’s a very low penetration of wearables where I am, but it could be terrible for the industry as a whole.
Source: The Register
Corey Nachreiner says
If I’m interpreting the PoC video right, it looks like there’s only 7-Bytes of controllable code the attack persistently leaves on the fitbit… 7-bytes isn’t a lot to work with, as far as transfering some malware to a PC… I assume that 7-bytes gets sent when the fitbit sends bluetooth packets to the PC with the fitbit app… still unclear on how this forces malware on the PC.
In any case, this is just a preview… I think The actual hack.lu presentation is tomorrow.