Fitbit trackers can easily be infected with malware, and spread it on

[Batu69]

Security researcher Axelle Apvrille has managed to deliver malware to a FitBit Flex fitness tracker, and to spread the infection to any computer that the device is subsequently connected to.

She took advantage of a vulnerability that she discovered back in March and pointed out to the manufacturer, but has yet to be patched: the wearable device has its Bluetooth port open.

This allows attackers that can get close enough to the target device to deliver an infected packet to it in less than 10 seconds. According to Apvrille, the rest of the attack occurs by itself, and the attacker doesn't have to be near for that.

"[When] the victim wishes to synchronize his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code," she told The Register.

"From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits)."

She also discovered ways to manipulate the information received by the device, mimicking motion where there is none.

By reverse-engineering the messages the device and its USB Bluetooth dongle send to each other, she managed to discover in part how these devices work, which can definitely be helpful as this is proprietary technology and details about it are not shared with the public or the research community.

Apvrille presented her research on Wednesday at the Hack.lu conference in Luxembourg .

Source