UPDATE: Fitbit Hack Demo Takes Just Ten Seconds

Security / Tech

Hacker Axelle Apvrille demoed her Fitbit hack at the Hacktivity Conference in Budapest last month that only takes ten seconds to implement. After the malware or virus is injected into the Fitbit via its open Bluetooth connection, it can then deliver the package to the user’s computer once they sync with the computer. Apvrille was also able to manipulate the data on the Fitbit, increasing or decreasing the activity or metrics stored on the device. During her presentation she noted that many audience members were wearing the device and at anytime she could infect them as she wished.

UPDATE 10/22/2015: A Fitbit spokesperson wrote to us with the following statement to update this story.

On Wednesday, October 21, 2015, reports began circulating in the media based on claims from security vendor Fortinet that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues.  We encourage individuals to report any security concerns with Fitbit’s products or online services to [email protected]. More information about reporting security issues can be found online at https://www.fitbit.com/security/.


“She showed that the Fitbit firmware has vulnerabilities that allowed her to plant arbitrary bytes into the Fitbit, those bytes then being, ‘reflected’ to a computer talking to a Fitbit,” Guillaume Lovet, a senior manager at FortiGuard, part of Fortinet, told CBS News.

“She did not go as far as making a malicious payload with those bytes, that would exploit the computer (and plant some malware in it), but it is theoretically possible to do that,” he explained.

The hack works entirely hands free from the target, the Fitbit only need be in Bluetooth range and the hacker can inject the malware or virus payload into it. No word on if this hack is in the wild or still only in the hands of Apvrille, we have reached out to Fitbit for comment.

  Source: CBS
To Top