- It can wake you up with a silent vibration alarm.
- The device is water-repellent.
- The sensor can be removed (and used with other Flex wristbands).
- It is synchronized via USB and can be used via the Fitbit app.
- It does wireless syncing via Bluetooth.
- It has an OLED display.
The hack, which was reported to Fitbit in March, makes use of the open Bluetooth connection of a Fitbit wearable.
“From there, [the fitness tracker] can deliver a specific malicious payload on the [PC], that is, start a backdoor, or have the [system] crash [and] can propagate the infection to other trackers,” Aprville added.
How Does the Hack Work?
- Reverse engineer the Fitbit protocols and manipulate the number of tracked steps and distance covered by the user.
- After this, send a malicious payload (size: 17 bytes) over the Bluetooth signal to the wireless tracker.
- Now, transmit this payload to a computer.
- Tearing down Fitbit Flex and its USB dongle the researcher demonstrated how hackers could exploit the vulnerability to create fake exercise data and add as many rewards as they wanted.
- Aprville was able to connect to the wireless band and infect it too.
- Any laptop or PC that connects with the infected wearable device can potentially be infected with a trojan, backdoor, or whatever the attacker wants.
- The device could work as a hardware Random Number Generator (RNG).
- Could spy on users.
FitBit – Flaws Reported in Fitbit are ‘FALSE’
“Since that time we’ve maintained an open channel of communication with Fortinet. We haven’t seen any data to indicate that it is possible to use a tracker to distribute malware.”