Cancel
Showing results for 
Search instead for 
Did you mean: 

Theoretical bluetooth vulnerability

SOLVED

On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user’s devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

 

As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

 

We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues.  We encourage individuals to report any security concerns with Fitbit's products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/

 

You may also follow or contribute to the discussion below. Thanks to @buckeyes @Godwhacker and @WendyB for being among the first to bring these claims to the attention of the Community Team.

 

Update: Chief Technology Officer for WatchGuard, a web security solutions company, has posted a video to explain the limitations of Apvrille's hack and why you don't need to worry about your Fitbit becoming a vehicle for malware.

 

 

 

Edit: clarified subject, added video

Accepted Solution
2 ACCEPTED SOLUTIONS

Accepted Solutions

@buckeyes Thank you for raising this topic. I'd like to share a bit more information with you to address any concerns you and the community may have.

 

Most importantly, we believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware. 

 

Fortinet contacted Fitbit in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet, and have not seen any data to indicate that it is currently possible to use a tracker to distribute malware. 

 

The Register and Engadget articles, among others published today, cite the studies of Fortinet researcher Axelle Apvrille (@cryptax). Apvrille herself recently posted a series of tweets explaining the limitations of this proof of concept (PoC) scenario:

 

"concerning that scenario of infecting a fitness tracker, it's important to read the slide on limitations:

1/ it's a PoC, no malicious code 

2/ to complete the scenario you'd need to execute the malicious code on the victim's host. This is yet to do (requires an exploit?)

3/ only 17 bytes available. Though I don't feel that's really an issue

4/ I lose a few bytes after reset (but I don't think that's a big pb)"

 

As @bksalt-2 hinted at, the PoC scenario would require code to run on the host (aka your computer), and we have not seen any indication this is possible.

 

@Lovable_Loser @chris2121 @Amuse @Godwhacker Hope that helps to clarify the situation. You can learn more about Fitbit and its commitment to protecting consumer privacy and keeping data safe at https://www.fitbit.com/security/

 

 

Accepted Solution

Overnight, we received an update from the Fortinet researcher, Axelle Apvrille, confirming that this is an entirely theoretical scenario that is not possible today. Fitbit trackers cannot be used to infect user’s devices with malware. It remains safe to use your Fitbit devices and no action is required.

 

Hope this helps to put your concerns to rest, @gomezz @fifila. We are working to correct the record with those media outlets which originally reported the claims. 

 

Accepted Solution
33 REPLIES

As reported by The Register : http://www.theregister.co.uk/2015/10/21/fitbit_hack/

 

This is rather serious. Does anyone know if FitBit are doing anything about this, or even taking it seriously? It seems they were first informed of this in March

Accepted Solution

Just seen this today

 

http://www.theregister.co.uk/2015/10/21/fitbit_hack/

 

Would Fitbit care to comment?

Accepted Solution

Hi there,

 

Please could you advise when a fix will be implemented for the problems detailed here - http://www.theregister.co.uk/2015/10/21/fitbit_hack/

 

This relates to a 10 second hack via bluetooth which can be used to spread malware to computers which the Fitbit syncs to.

 

I look forward to a response

 

Thanks

 

Accepted Solution

A friend just told me about this story and I also am very concerned, especially if the article is accurate that Fitbit has known about this since March and not fixed it.  This needs to be resolved ASAP.

Accepted Solution

This is indeed very worrying.  Can we have a response from Fitbit on this?

Accepted Solution

Just read same on Engadget and am pretty concerned. You'd think Fitbit would have jumped on this in March.

Thinking about getting rid of mine unless Fitbit responds promptly!!

Accepted Solution

If you have all your anti virus and anti malwere protection in place there is most likely no worries. I have been useing fitbit for 4 years now and have never had a hit on either my computer or my laptop or my pad just be diligent with your updates and you will be fine.Seams like every one loves to spread fear to cause people to panic.

Accepted Solution

Hi bksalt-2

 

I don't think your take on this is correct. I don't think that this is likely to be a widely abused attack vector, however anything that circumvents normal security measures - which this does - is pretty scary. Fitbit should be making an effort to plug this whatever.

Accepted Solution

Just had a chat session with fitbit and they will be posting something soon on the blog site and community site.  They assured me this is a rumor and is not true.  

Accepted Solution

Hi Fitbit folks,

 

Any public comment concerning plans to react to the exploit reported here?

 

http://www.engadget.com/2015/10/21/fitbit-tracker-bluetooth-vulnerability/

Accepted Solution

@buckeyes Thank you for raising this topic. I'd like to share a bit more information with you to address any concerns you and the community may have.

 

Most importantly, we believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware. 

 

Fortinet contacted Fitbit in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet, and have not seen any data to indicate that it is currently possible to use a tracker to distribute malware. 

 

The Register and Engadget articles, among others published today, cite the studies of Fortinet researcher Axelle Apvrille (@cryptax). Apvrille herself recently posted a series of tweets explaining the limitations of this proof of concept (PoC) scenario:

 

"concerning that scenario of infecting a fitness tracker, it's important to read the slide on limitations:

1/ it's a PoC, no malicious code 

2/ to complete the scenario you'd need to execute the malicious code on the victim's host. This is yet to do (requires an exploit?)

3/ only 17 bytes available. Though I don't feel that's really an issue

4/ I lose a few bytes after reset (but I don't think that's a big pb)"

 

As @bksalt-2 hinted at, the PoC scenario would require code to run on the host (aka your computer), and we have not seen any indication this is possible.

 

@Lovable_Loser @chris2121 @Amuse @Godwhacker Hope that helps to clarify the situation. You can learn more about Fitbit and its commitment to protecting consumer privacy and keeping data safe at https://www.fitbit.com/security/

 

 

Accepted Solution

I feel much better now, just like after we were assured that the Force wasn't causing any skin issues.

Accepted Solution

To be clear PoC means Proof of Concept, he's just showing it can be done, it requires an exploit, of course it does, but he didn't create anyhing malicious, he's trying to be helpful, but it would go here and lastly he doesn't think that size is a limitation to malicious code going here

Accepted Solution

@krafty_11 Apvrille will present her findings via a video demonstration at the 2015.Hack.lu conference tomorrow in Luxembourg. 

 

We have a history of working closely with the security research community and always welcome their thoughts and feedback. While I have not been privy to the conversations between Fortinet and Fitbit, I am assured that Fitbit devices can’t be used to infect users with malware. 

 

The trust of our customers is paramount. I may not be able to answer all of your questions, so if you have technical queries that go beyond what I've outlined above, you can reach out to our experts at security@fitbit.com. If you have concerns about Force, please consult our https://www.fitbit.com/forcesupport.

 

Accepted Solution

I heard about this tonight as well.  Seems highly unlikely; hope it doesn't turn out to be for real.

 

Gizmodo article on hacking a Fitbit in 10 seconds

Accepted Solution
0 Votes

@aredubya I've moved your post to the main thread for this discussion. Please see my recent post for more information.

 

@AirWalker Nice to hear from you. Looks like the Gizmodo link broke due to a system rule that helps us to protect member privacy by masking phone numbers (the web url contained an expression similar to a phone number, hence the algorithm's confusion). If you insert as a hyperlink, this shouldn't be an issue. 

Accepted Solution

AllisonFitbit wrote:

 

"concerning that scenario of infecting a fitness tracker, it's important to read the slide on limitations:


Those are limitiations of the PoC used to demonstrate the security hole.  They do not stop a live exploit taking advantage.

Accepted Solution
0 Votes

@zapleahy:  Tried that at your suggestion; same result:  Fitbit site removes the end of the URL Smiley Sad

Accepted Solution
0 Votes

 They've made a respectable start at getting in the door. I'd be less concerned about fitbit.com, and more concerned about it being used to spread something far nastier onto a phone or pc that fitbit.com has no reason to care about.  As it sits, they've got a pretty good worm going.
Courtesy of cryptax:  https://www.youtube.com/watch?v=qa8qVAPPlTE

 

All credit to Axelle Apvrille https://twitter.com/cryptax
Accepted Solution
0 Votes