By Sean Sposito, San Francisco Chronicle
Social media lit up after a Fortinet security researcher demonstrated she could use Bluetooth to inject code onto a Fitbit Flex — a method criminals could use to spread malware.
A USA Today story was shared on LinkedIn more than 200 times. blew up. abounded, all with people wondering: Could someone compromise my computer or phone through my Fitbit?
It didn’t take long for the San Francisco company to answer.
This is a “theoretical scenario and is not possible,” a spokeswoman emailed the Chronicle. “Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.”
This is mostly true.
There is no proof such a hack has ever happened — nor is there much of likelihood criminals would choose to devote their time to such an activity.
“We’ve rated it low risk,” admits Derek Manky, Fortinet’s global security strategist.
There are a couple of reasons, he explained:
First, a hacker would need to develop code that could actually pull it off.
This wouldn’t be easy.
To tunnel its way from a Fitbit to its owners’ computer or mobile phone, the code would need to be sophisticated — but also small enough to be stored by the fitness tracker.
Furthermore, if this attack were to occur, all this assumes that someone wants to hack you. Yes, you, in particular.
Criminals usually do these things at scale, requiring them to break into multiple machines at once for the best chance at a maximum payout.
This method only infects one device at a time, requiring an attacker be in range of your Fitbit — within 10 feet.
Unless you’re the president of a nation or perhaps one of the countries biggest banks, it’s unlikely someone would go through all that trouble to pry their way into your computer.
Still, Fitbits are a part of a highly vulnerable category of computing called the Internet of Things. Researchers have already shown that they can remotely shut off Web-connected cars, compromise medical devices and steal email contacts from refrigerators.
Fitbits are among the most common Internet of Things gadgets, , a Cisco-owned cloud security company that monitors Web devices.
And Bluetooth, a wireless technology meant to be used to transmit data over relatively short distances, has repeatedly proven to be a weak point that criminals can compromise.
Perhaps Fitbit is guilty of overstatement when it contends such an attack is outside the realm of possibility.
“It’s highly unlikely but it certainly outlines the risk of these kind of IoT devices where there could be some concern,” said Greg Martin, a serial cybersecurity entrepreneur now working on a stealth mode startup.
“Companies like Fitbit don’t think about cybersecurity. They’re thinking about ease of device, low power, they aren’t thinking about hackers until it’s already an issue” and exposed by security research.
©2015 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.
