A possible vulnerability has been found that allows attackers to inject unauthorized code into some models of Fitbit wearable devices. Developed by Fortinet senior researcher Axelle Apvrille and presented at the Hack.lu security research conference, Apvrille claims that the injected code is able to persist on one model of the fitness devices after several restarts and send modified data packets to a synched computer.
2/ to complete the scenario you’d need to execute the malicious code on the victim’s host. This is yet to do (requires an exploit?)
— Axelle Ap. (@cryptax) October 21, 2015
While Apvrille states that there have been no known real-world attacks leveraging this vulnerability in the wild, this research is still notable as a reminder of how wearables introduce a new vector for attack.
As has been demonstrated, Internet of Things (IoT) devices can pose a security threat to companies that deploy them. But as Fitbit wearables are generally tools for consumers, they represent the possibility of unsanctioned devices finding their way onto corporate networks. Andrew Hay, director of OpenDNS Security Labs, writes in the 2015 Internet of Things in the Enterprise Report that IoT can be seen as the next wave of the “consumerization” of enterprise IT:
“Early adopters sanctioning IoT use are likely considered fringe cases at this time. Underprepared companies will find they are unable to prevent the tech-savvy employee from bringing their latest toy into the office and connecting it to the network.”
Additionally, Fitbit devices were one of the most common IoT devices found in actual, live enterprise environments:
Fitbit has responded to Apvrille’s research claims stating the company has “not seen any data to indicate that it is currently possible to use a tracker to distribute malware.” You can read the full text of Fitbit’s statement, below:
“On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user’s devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.
As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.
We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to firstname.lastname@example.org. More information about reporting security issues can be found online at https://www.fitbit.com/security/.”