{"id":8690,"date":"2015-10-22T16:33:45","date_gmt":"2015-10-22T20:33:45","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=8690"},"modified":"2015-10-22T16:33:45","modified_gmt":"2015-10-22T20:33:45","slug":"researcher-shows-how-it-could-take-hackers-just-10-seconds-to-wirelessly-upload-malware-to-a-fitbit","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/10\/22\/researcher-shows-how-it-could-take-hackers-just-10-seconds-to-wirelessly-upload-malware-to-a-fitbit\/","title":{"rendered":"Researcher shows how it could take hackers just 10 seconds to wirelessly upload malware to a FitBit"},"content":{"rendered":"

By Rob Thubron<\/a><\/p>\n

In recent times, hackers have been discovering ways to exploit wireless systems in a number of devices, from vehicle infotainment centers<\/a> to self-aiming sniper rifles<\/a>. It now seems another gadget may be added to this list, as Fortinet researcher Axelle Apvrille has revealed that fitness-tracking wristband FitBit<\/a>, which has sold more than 20 million devices worldwide, can theoretically be hacked in just ten seconds and used to spread malware to any computer it syncs with.<\/p>\n

According to The Register<\/a>, an attack on a FitBit via Bluetooth would only require an attacker to be a few feet from a target for around ten seconds after the devices connect. Any computer that later connects with the wearable can be infected with a backdoor, trojan, or some other form of malware used by the hacker.<\/p>\n

An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near. [When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile [\u2026] the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).<\/p><\/blockquote>\n

Apvrille will be presenting a proof-of-concept demonstration video at the Hack.Lu conference taking place in Luxembourg today. “The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.”<\/p>\n

FitBit have apparently been aware of the problem since March when Apvrille contacted the company about it. FitBit says it believes the vulnerability, which the first instance of a fitness wearable shown to be potentially hackable, is a low-severity issue and unrelated to malicious software. The researcher has pointed out that the attack is a proof of concept and not something that’s in the wild.<\/p>\n

\n

concerning that scenario of infecting a fitness tracker, it’s important to read the slide on limitations 1\/ it’s a PoC, no malicious code<\/p>\n

\u2014 Axelle Ap. (@cryptax) October 21, 2015<\/a><\/p><\/blockquote>\n

This isn\u2019t the first instance of FitBit making headlines due to security failings. In 2011, blogger Andy Baio tweeted that Fitbit fitness band users\u2019 sexual activity was showing up<\/a> in Google search results by accident, revealing whether they had engaged in “vigorous” or \u201cpassive and light\u201d efforts.<\/p>\n