Hacking Fitbit
This is impressive:
“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille says.
“[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.
“From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”
That’s attacker to Fitbit to computer.
Marc Bown • October 22, 2015 2:32 PM
Its a great story, but some of the details are missing. The researcher has cleared things up:
https://twitter.com/cryptax/status/656950863676743680
https://twitter.com/cryptax/status/656951098050260992
https://twitter.com/cryptax/status/656951545205030912
In other words, it is possible to place data onto a Fitbit and to retrieve that data, but not to cause automatic code execution or malware propagation.