According to a researcher affiliated with the data security company Fortinet, the Fitbit Smartband is a wearable device which can easily be hacked, in just 10 seconds, and can then spread a backdoor to computers and other devices it syncs with. Fortinet claims its researcher was able to use a Bluetooth antenna attached to a laptop to scan the air for the devices. Once a Fitbit device was detected in the vicinity, a Bluetooth connection was used to upload a small piece of unauthorized software.
This was proof of concept that such an attack is possible. The hacker has to be within ten feet of the Fitbit for the exploit to work. When the Fitbit was synched via Bluetooth up to a smart phone or laptop, it could possibly send the software to the connecting device as the Fitbit uploaded its data.
Fitbit has responded to the reports saying it was impossible to infect a Fitbit device with malware via Bluetooth. The company said it will continue to monitor the issue.
Analyst comment:
This particular hack remains theoretical, as Fortinet had subsequently clarified that the hack was only able to upload a placeholder code and there was no proof that it was actually possible to transfer malware from a Fitbit to a second device. Furthermore, the limited ability of the hack to affect only those in close vicinity of the hacker reduces the possibility of its widespread distribution, especially through Bluetooth hacks.
Nonetheless, the ability of wearable devices to be hacked by their Bluetooth settings, establishes a security concern, which would be of concern to manufacturers of related products. Companies should review their Bluetooth security settings, and the possibility of such features being misused by potential hackers. Where possible, disable Bluetooth settings in public environments, and data security software should be upgraded to include scanning for potential malware in synced devices as well.