10-Sec Hack Delivers First Ever Malware to Fitness Trackers


A security researcher has developed a method by which one can exploit a vulnerability in FitBit fitness trackers and subsequently deliver malware to the target device in 10 seconds.

Axelle Apvrille (@cryptax), a malware researcher at network security firm Fortinet, has found that FitBit wearables are open on their Bluetooth ports, a property which could enable an attacker to connect a device from within a few meters away and deliver malware to the bracelet.

fitbit hack malware
FitBit (Source: PCMag)

The hack takes about 10 seconds to complete and requires a minute to verify. Once the malware has been delivered, any device–laptop, PC, or otherwise–that connects to the wearable can be infected with a backdoor, trojan, or other malicious software program.

“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille told The Register. “[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”

This is reportedly the first time malware has been delivered to a fitness tracker.

A proof-of-concept video of the hack can be viewed here.

Additionally, Apvrille will be presenting her research, which exploits a vulnerability she warned FitBit about back in March of this year and which the company expects will be patched at some point, on Wednesday at this year’s Hack.lu conference.

Source: 10-Sec Hack Delivers First Ever Malware to Fitness Trackers

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.