Fitbit's fitness trackers aren't as secure as you would like them to be, a report indicates. Security researcher Axelle Apvrille of Fortinet, a multinational company that is popular for selling security-related gears and services, reported that the Fitbit fitness tracker can be hacked using its Bluetooth radio within 10 seconds. Fitbit, on the other hand, has said that the vulnerabilities reported are false.
Apvrille claims to have been able to manipulate data - such as tweaking the number of steps the tracker had logged. She was also able to use the fitness tracker to deliver code to the computers the tracker connected (synced) to. As she noted (via The Register) at the Hacktivity 2015 conference, an attacker can exploit this vulnerability for injecting malware.
The report further reveals that an attacker can infect a Fitbit device by just being within its 15-feet locus, typical Bluetooth range. Once in, a cascade of attacks can be set in just 10 seconds. The company was informed about some of these vulnerabilities in March, but it seems it hasn't patched the flaws yet.
The only silver lining in the report is that no exploit that aims to target the vulnerability has been reported as of yet, which suggests that your Fitbit model is likely safe for now. The takeaway from the report is that Internet of Things devices can often offer sub-par security sophistication, as evident from the recent breaches, and it's an area that the concerned companies should be working on.
Speaking to Forbes, a Fitbit spokesperson said that the company believes the security vulnerabilities pointed out by Apvrille are false. "As the market leader in connected health and fitness, Fitbit is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware. We will continue to monitor this issue," the company said.
"Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware."