Updated A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath.

The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.

Attacks over Bluetooth require an attacker hacker to be within metres of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.

Fortinet researcher Axelle Apvrille (@cryptax) told Vulture South that full persistence means it does not matter if the FitBit Flex is restarted; any computer that connects with the wearable can be potentially infected with a backdoor, trojan, or whatever the attacker desires.

(Of course, the malicious code stashed on the gadget must find a way to execute on the connected PC, but that's an exercise left to the reader.)

"An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near," Apvrille says.

"[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.

"From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits)."

It is the first time malware has been viably delivered to fitness trackers.

Youtube video

The attack vectors are still present. Apvrille warned FitBit in March and says the company considers it a bug which will be squashed at some point.

Apvrille, a respected malware researcher, will offer a proof-of-concept demonstration video at the Hack.Lu conference in Luxembourg tomorrow.

"The video demonstrates that the infection persists over multiple messages," she says. "Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code."

Apvrille has pulled off other hacks; she is able to manipulate the number of counted steps and logged distance to earn badges that can be traded in for discounts and prizes.

Those badges can be turned into discounts and gifts through third-party companies such as Higi which in April launched an API to help companies receive health data derived from wearables.

Apvrille has reversed 24 messages from the Fitbit tracker and 20 from the USB Bluetooth dongle as part of the largely ground-up reverse engineering work since the devices are closed-source and do not come with documentation on software internals.

She says communication is over XML and Bluetooth Low Energy while encryption and decryption occurs on the wearable device, and not on the dongle which is "outside of the security boundaries".

The communications data sets are divided into "mega dumps" that include walking steps and user activity information, and "micro dumps" which relate to pairing, server responses, and device identifiers.

The work adds new information on the low-level software internals of Fitbit to an existing repository of work built by fellow researchers.

It is not the first security blunder for the fitness strap. In 2013 researchers were able to fake login information to access any Fitbit account thanks to then lax authentication checks, allowing attackers to earn prizes.

And in 2011 the sexual activities of users were publicly spewed over web searches revealing whether those who had engaged in "vigorous" or “passive and light” efforts.

Dumb hacks exist that allow the lazy to trick the sensors into thinking steps are being taken. In 2013 some researchers tied Fitbits to a car tyre and drove 16km/h to simulate steps. ®

Updated to add

Fitbit's been in touch to say it "... is focused on protecting consumer privacy and keeping data safe. We believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware. We will continue to monitor this issue.

"Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware."

The researcher delivering the talk we reported has since pointed out, in tweets like the one below, that the attack is a proof of concept, theoretical, and not something that's in the wild.

concerning that scenario of infecting a fitness tracker, it's important to read the slide on limitations 1/ it's a PoC, no malicious code — Axelle Ap. (@cryptax) October 21, 2015

2/ to complete the scenario you'd need to execute the malicious code on the victim's host. This is yet to do (requires an exploit?) — Axelle Ap. (@cryptax) October 21, 2015

3/ only 17 bytes available. Though I don't feel that's really an issue 4/ I lose a few bytes after reset (but I don't think that's a big pb) — Axelle Ap. (@cryptax) October 21, 2015