Fortinet security researcher Axelle Apvrille has presented research that shows the Fitbit Flex wristband, a wearable activity tracker, could be used as a potential source for malware infections. The wristband has open Bluetooth ports which could allow a potential attacker to inject it with a malicious payload which would then be transferred to another device such as a laptop. In a statement to The Register, Apvrille describes the methodology of this hypothetical attack: “An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance…the victim wishes to synchronise his or her fitness data with FitBit servers...the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with infected code.” Note that the initial attack would have to occur within meters of the targeted device but, once within this range would take no longer than 10 seconds to execute. 

What Ms. Apvrille did not demonstrate is how the malicious payload would be executed once connected to a second device such as a laptop. It’s important to note that this is a hypothetical scenario demonstrated by a security researcher. In a statement to Forbes, the company responded: “We believe that security issues reported today are false, and that Fitbit devices can’t be used to infect users with malware. We will continue to monitor the issue.” 

While this research does not definitively prove that malware can be spread by remotely injecting code into a fitness tracker, it raises the possibility of a new attack vector. As network security improves over time and advancements are made in the development of security software, a vulnerability in a device such as a wearable activity tracker could provide new methodology for cybercriminals to infiltrate user machines. The fitness tracker and activity band industry is expected to double from $2 billion in 2014 to $5.4 billion by 2019. As noted by The Telegram, “Barclays bank has launched a Fitbit program where 75,000 employees in the US and UK can buy a subsidised Fitbit for personal fitness” and 20 million Fitbit devices have been sold worldwide. 

In a previous presentation about hacking the Fitbit wristband, Apvrille stated that one of the limitations of injecting code into a Fitbit is that it was only possible to inject 17 bytes into the wristband, a miniscule amount of information. She goes on to cite previous viruses that were extremely small in size – the “Crash Pentium Trojan” from 2004 which was 4 bytes and the “Mini DOS virus” which was 13 bytes back in 1991.