PCs, smartphones, and tablets are fair game to hackers these days. And we’ve also started to see cars with sophisticated infotainment systems and controls also getting hacked. But how about the innocent little whose sole purpose is to keep your body healthy? Well, now they’re getting hacked as well. And worse, they might be used to make other computers unhealthy. Fortinet researcher Axelle Apvrille reveals that the Fitbit is one such wearable that easily succumbs to a hack in just 10 seconds and can then spread the malware to computers it syncs with.
The scenario almost sounds like something straight out of a spy flick. An attacker gets within Bluetooth range of a Fitbit fitness tracker, near enough to establish a connection. It doesn’t need to be a long connection though, as 10 seconds is reportedly enough to drop the payload. Once the deed is done, the malware sits innocently in the wearable, waiting for the user to connect it to a PC to sync.
Once the FitBit tries to communicate with PC to update the user’s profile, it also dumps malicious code that can create a backdoor on the computer or cause the machine to crash. Even worse, the infected computer can then also infect other Fitbits that connect to it, spreading the malware around. The malware on the Fitbit itself persists even when the wearable is restarted.
This is probably the first recorded, not to mention successful, hacking attempt targeting wearables but it’s not exactly new. Apvrille says that he already reported the issue to Fitbit back in March. Half a year later, the vulnerability still exists as Fitbit seems to simply regard this not as a critical security problem but a bug that needs to be fixed some time in the future. Apvrille with present a proof-of-concept demo of the vulnerability at the Hack.Lu conference in Luxembourg this week.