Fitbit devices can be hacked, research shows

Fitbit devices can be hacked, research shows

Popular Fitbit devices are vulnerable to hackers, according to a new study that reveals how personal information can be stolen from the fitness bands.

Computer researchers at the University of Edinburgh intercepted messages from the Fitbit One and Fitbit Flex wristbands, which calculate activity including steps, distance travelled, calories burned and sleep duration.

The team accessed personal information from the devices as it was sent to the company’s cloud servers for analysis. The researchers said the problem could be used to falsify activity records or steal personal data.

Fitbit secures its devices with end-to-end encryption, which means messages are scrambled in transit and are only deciphered once they reach their destination. But the University of Edinburgh study showed the security measures can be circumvented.

Fitbit Flex 2

Fitbit released its Flex 2 device in 2016 CREDIT: FITBIT
The researchers modified the Flex and One to let them bypass encryption and access information stored on the devices.

This work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology.

Dr Patras added that hackers could use the method to steal health data and possibly blackmail users. They could extract information and say you’re not as active as you say you are. Or use the data for other nefarious purposes.

Fitbit has updated its software to fix the security problems and enhance privacy for its customers.

We welcome Fitbit’s receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services.

ADVERTISING

Fitbit said it has used end-to-end encryption since 2016 and is committed to keeping its customers’ information secure.

We are always looking for ways to strengthen the security of our devices, and in the upcoming days will start rolling out updates that improve device security, including ensuring encrypted communications for trackers launched prior to Surge. The trust of their customers is paramount and we carefully design security measures for new products, continuously monitor for new threats, and diligently respond to identified issues.

Previous research has shown how Fitbit devices can be hacked. Security firm Fortinet showed in 2015 how malicious software could be downloaded onto Fitbit trackers without the user noticing. Fitbit denied the possibility.