Fitbit trackers can be infected with a malware in just 10 seconds

A security expert conducted a series of tests on the Fitbit trackers discovering how they can be infected with a malware in just 10 seconds.

The security researcher Axelle Apvrille revealed that infect Fitbit trackers with a malware is too easy.

Axelle Apvrille has managed to infect FitBit Flex fitness tracker and uses them as infection vector to spread the malicious agent to any computers the devices are connected to.
The expert exploited a vulnerability in the Bluetooth that she discovered in March, despite the flaw was reported to the manufacturer it has yet to be patched.

Axelle Apvrille discovered that the popular FitBit Flex fitness trackers have the Bluetooth port open, this security issue could allow a nearby attacker to deliver an infected packet that is able to compromise the wearable object ... in less than 10 seconds.

According to Apvrille, the rest of the attack occurs by itself, and the attacker doesn't have to be near for that.

fitbit Flex tracker attack 102015"[When] the victim wishes to synchronize his or her fitness data with FitBit servers to update their profile ... the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code," Axelle Apvrille explained to The Register.

"From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits)."

The wearable devices use proprietary technology, Axelle Apvrille searched for security issues by reverse-engineering the messages the device exchange the USB Bluetooth dongle.

The expert conducted a series of tests that allowed her to discover other security issues related to the on the Fitbit trackers, including the way to manipulate the information received by the devices, mimicking motion even when the Fitbit trackers are stopped.

Apvrille presented the findings of her research on the Fitbit trackers at the conference in Luxembourg .