FitBit’s open Bluetooth port enables rapid ‘viral’ malware infection
Wed 21 Oct 2015
An unpatched vulnerability in the FitBit fitness tracker has been proven susceptible to a malware attack so fast that it obviates the one advantage that a fitness device is often claimed to have against intrusion – brevity of opportunity. Additionally, once infected, the malware can propagate itself in the same manner to other FitBit devices that cross its Bluetooth range.
The attack only requires ten seconds of proximity to the device at typical Bluetooth distances, since it leverages the fact that FitBit have left the Bluetooth port vulnerable on the popular health-tracking device – a vector which remain open despite first being reported to the company back in March of this year.
Once infected, any device, even a PC, that connects to the FitBit is at risk of being exposed to the malware. The exploit will be demonstrated today by Fortinet researcher Axelle Apvrille at this year’s Hack.iu conference, and she has also provided video evidence of the technique (see below).
In a recent interview Apvrille explained the approach:
“An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near…[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers.”
Though the hack only takes 10 seconds to deliver, it does take 60 seconds to verify, so would-be cybercriminals may need to match a brisk jog to ensure their victim is securely hooked.
Aprville’s presentation at Hack.iu concentrates on other aspects of the FitBit device as well, including, more positively, its recent efforts to provide end-to-end encryption, thus preventing wearers from publishing details of their sex lives to Google.