According to a malware researcher, the FitBit fitness tracker from the American company of the same name can be infected with malware in ten seconds via Bluetooth. The manufacturer denies and speaks of theoretical scenarios that are not possible in practice.
To bring about the infection, need the FitBit is not even connected to the attacker’s device via bluetooth. As long as attacker and target are within Bluetooth range of each other, the infection can take place. The malware can then easily jump to computers to which the wearable is connected. For example, a backdoor can be installed on the owner’s laptop and the malware can spread further to other FitBits that are connected to the computer. In addition, the malware also largely remains on the Fitbit after a restart of the bracelet.
The vulnerability’s discoverer, malware researcher Axelle Apvrille of network security firm Fortinet, notified FitBit of the vulnerability in March this year. Since then, the manufacturer has done nothing to close the security hole. That is why she is now publishing her findings. She demonstrated the technology at the hack.lu conference in Luxembourg, among others. On Twitter adds she still insists that it is currently a proof of concept, and that there is no malicious code in her demo. Also late Aprille know that it looks like it’s all FitBit models.
However, FitBit itself denies to Forbes that the wearables are susceptible to such an infection. “We believe that the reports of security vulnerabilities are false and that FitBits cannot be used to infect users with malware.” Furthermore, the company states that it maintains an “open channel of communication with Fortinet” and that it “has not yet seen any data that would indicate that it is possible to distribute malware with a FitBit.”