Breaking News Emails
Fitbit is defending itself against claims by a security researcher that its fitness trackers can be hacked wirelessly in 10 seconds and then be used to infect a computer with malware.
Earlier this month, Axelle Apvrille from security firm Fortinet claimed to have found a way to hack into a Fitbit through its Bluetooth connection, which could theoretically be used to infect it with malware and distribute that malware to any devices or computers it synced with.
Fitbit disputed those findings in a statement to NBC News.
"These reports are false," the company wrote. "In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user’s devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required."
In response to Fitbit's statement, a Fortinet spokesperson told NBC News that "our security threat researcher demonstrated to Fitbit a vulnerability that enabled her to inoculate a Fitbit device with arbitrary code that could be sent to computers that the device connects to over a Bluetooth connection."
Fortinet stressed that it "refrained from publishing key details" about the vulnerability so that it "could not be exploited more broadly by other malicious actors."
Hacking into a fitness tracker is certainly possible, said Maik Morgenstern, CEO of security firm AV-TEST, but the possibility of malware infecting a computer or mobile device through the tracker is low.
"I would call this a cosmetic issue that should be fixed, but I don't see any real-world relevance from a security point of view," Morgenstern told NBC News. It would take a very small Trojan (less than 17 bytes) and vulnerabilities in the synced operating system to make infection possible, he said.
That opinion was shared by Candid Wueest, who leads much of the research on wearable technology at security firm Symantec.
"It would be more likely that an attacker could only get the service process to crash, rather than execute any useful commands," Wueest told NBC News.
"Hence the current risk of getting infected through a Fitbit with regular malware is very thin."