U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Fitbit trackers can be infected with a malware in just 10 seconds

A security expert conducted a series of tests on the Fitbit trackers discovering how they can be infected with a malware in just 10 seconds. The security researcher Axelle Apvrille revealed that infect Fitbit trackers with a malware is too easy. Axelle Apvrille has managed to infect FitBit Flex fitness tracker and uses them as infection […]

Fitbit trackers can be infected with a malware in just 10 seconds

A security expert conducted a series of tests on the Fitbit trackers discovering how they can be infected with a malware in just 10 seconds.

The security researcher Axelle Apvrille revealed that infect Fitbit trackers with a malware is too easy.

Axelle Apvrille has managed to infect FitBit Flex fitness tracker and uses them as infection vector to spread the malicious agent to any computers the devices are connected to.
The expert exploited a vulnerability in the Bluetooth that she discovered in March, despite the flaw was reported to the manufacturer it has yet to be patched.

Axelle Apvrille discovered that the popular FitBit Flex fitness trackers have the Bluetooth port open, this security issue could allow a nearby attacker to deliver an infected packet that is able to compromise the wearable object … in less than 10 seconds.

According to Apvrille, the rest of the attack occurs by itself, and the attacker doesn’t have to be near for that.

fitbit Flex tracker attack 102015

“[When] the victim wishes to synchronize his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code,” Axelle Apvrille explained to The Register.

“From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”

The wearable devices use proprietary technology, Axelle Apvrille searched for security issues by reverse-engineering the messages the device exchange the USB Bluetooth dongle.

The expert conducted a series of tests that allowed her to discover other security issues related to the on the Fitbit trackers, including the way to manipulate the information received by the devices, mimicking motion even when the Fitbit trackers are stopped.

Apvrille presented the findings of her research on the Fitbit trackers at the Hack.lu conference in Luxembourg .

Pierluigi Paganini

(Security Affairs – Fitbit trackers, IoT)

UPDATE October 23, 2015

I was contacted by a person on behalf of the Fitbit company that emailed  me the following statement that provides further info on the scenario described by the Apvrille.

 

“On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues.  We encourage individuals to report any security concerns with Fitbit’s products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security/.”