Hackers hypothetically could turn Fitbit health bands into PC-infecting malware carriers, Fortinet security researcher Axelle Apvrille demonstrated Wednesday in a presentation at the Hack.lu conference in Luxembourg.
Apvrille showed how it was possible to access a Fitbit’s Bluetooth connection and, in a mere 10 seconds, infect it with a malicious packet that later could be used to infect a personal computer, a feat she demoed earlier this month at a hacker conference in Budapest.
Because of Bluetooth’s range — a maximum of 30 feet or so — an attacker would need to be in close range of the Fitbit band in order send the pernicious packet to it, noted Derek Manky, a global security strategist for Fortinet.
“The Fitbit would receive the information packet, store it, and then at some point later, when the user connects the tracker to a PC, that stored information would be sent to the PC,” he told TechNewsWorld.
“This is just a proof of concept,” he acknowledged. “To make this a real-world attack, someone would have to develop an exploit against the PC itself, which is tough to do.”
Another barrier to turning the conceptual attack into a real one is the size of the packet involved.
“We’re dealing with a maximum of 17 bytes here, which makes it much, much tougher to pull off a real-world attack,” Fortinet’s Manky said.
Fitbit did not respond to our request to comment for this story.
However, the company called the security issues false and said that Fitbit devices could not be used to infect users with malware, according to multiple reports.
Fitbit carefully designs security measures for new products, monitors the landscape for new threats, and rapidly responds to identified issues, the company reportedly said.
“To some extent, the researcher is making a mountain out of a mole hill,” remarked Lee Ratliff, principal analyst for low power wireless at IHS Technology.
“She had to do a lot of serious reverse engineering on this,” he told TechNewsWorld. “I can understand the motivation for a researcher to do that, but for a hacker trying to make a profit, it’s not clear there’s any way to profit from this.”
Minimal Sales Impact
Any attack attempt likely would be ineffective, Ratliff added, because most people don’t use their fitness bands with their PCs.
“I use my fitness band to connect to my smartphone, and I would guess the vast majority of people are the same way,” he said. “So if the exploit doesn’t work on the smartphone, that minimizes the impact of it.”
Will news of the hack have an effect on Fitbit’s business? “I would guess no,” Ratliff said. “The average consumer will not become aware of this hack.”
Moreover, “there’s been no demonstrable damage from the hack. It’s a theoretical thing at this point,” he added.
That doesn’t mean that makers of wearables and devices that connect to the Internet of Things should ignore the security issues Fortinet raised, however.
Moving Into the Wild
“There are so many manufacturers making electronic items out there, and so few of them employ security experts,” Ratliff said. “In most cases, it’s a general engineering staff trying to put together a security solution for a product. That’s why this issue will come up again and again — not just for wearables, but for any kind of IoT application.”
Security doesn’t appear on the radar of many device makers until late in the development cycle, noted Amit Sethi principal consultant for mobile security at Cigital.
“Quite often, security is left as an afterthought in many IoT devices,” he told TechNewsWorld. “The focus is on minimizing cost and maximizing battery life.”
Machine-to-machine communication can be a ripe attack vector for bad actors, as Fortinet illustrated with its proof-of-concept attack on Fitbit.
“Communication between devices — machine to machine — is where a lot vulnerabilities lie today,” Manky said. “Moving into 2016 and beyond, I expect more of these attacks to start developing in the wild.”