Wearables may be a hacker's dream and Fitbit trackers could be the jackpot, according to security researchers who revealed a 10-second hack, but Fitbit disputes such claims.
As wearable devices are increasingly gaining momentum, people store more data on their smartwatches, fitness trackers and other such gadgets. Whenever there's data stored, there are also hackers lurking in the shadows and wearables are a new category capable of carrying malware.
Fortinet security researcher Axelle Apvrille recently detailed how a Fitbit tracker is vulnerable to hacking through its Bluetooth radio, presenting the security breach at the Hack.Lu 2015 conference.
Aprville managed not only to manipulate data stored on the tracker, such as the logged fitness data, but took the hack to the next level and used the Fitbit to distribute code to a computer. If a malicious hacker exploited that vulnerability, that code transmitted to a computer could very well be malware.
Aprville was able to infect the Fitbit Flex tracker in just 10 seconds from as much as 15 feet away, given the gadget's Bluetooth range. Malicious software could pack some code designed to slip a Trojan on a computer, or open a backdoor, when the Fitbit connects to the device for data synchronization.
The security researcher published some slides to show a few hacks, after demonstrating the more severe vulnerability at Hack.Lu.
Nevertheless, this doesn't mean that just anyone could hack a Fitbit tracker to manipulate the data stored on it or to push malicious code to a computer. Vulnerabilities reported by security researchers do not mean such attacks actually occur in the wild, and Apvrille tried to clarify this in a series of tweets following the presentation.
"To complete the scenario you'd need to execute the malicious code on the victim's host. This is yet to do (requires an exploit?)" explains one of the tweets.
In other words, this vulnerability could lead to malicious code being pushed to computers, but this is not the case just yet. For now, it's just a proof-of-concept that it's not that hard to inject code into wearables. It remains unclear for now whether the Flex is the only Fitbit tracker affected by this 10-second hack.
Fitbit, for its part, denied such allegations and argues its devices cannot serve as vehicles for infecting users with malware.
"As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware. We will continue to monitor this issue," Fitbit said in a statement to Engadget.
