[BreachExchange] Fitbit hack bypasses end-to-end encryption

Mon Sep 18 21:52:33 EDT 2017

https://www.v3.co.uk/v3-uk/news/3017436/fitbit-hack-bypasses-end-to-end-encryption

The Daily Telegraph reports that Fitbit smart bands are vulnerable to
hackers, with researchers having uncovering a way to steal personal details
from wearers.

A team at the University of Edinburgh found that it is possible to
intercept messages from the Fitbit One and Fitbit Flex bands, accessing
personal data as it is sent to Fitbit's servers for analysis. Data
intercepted in this way can be stolen or changed.

The most concerning aspect of this method is that Fitbit's end-to-end
encryption - which scrambles information so that it can only be deciphered
at its destination - provides no protection against the hack. Both the
Fitbit One and Fitbit Flex were modified to bypass encryption and access
stored information.

Fitbit says that it has updated its software to fix the security issue.

Dr Paul Patras of the University said, "Our work demonstrates that security
and privacy measures implemented in popular wearable devices continue to
lag behind the pace of new technology." He praised Fitbit's fast response
to the problem.

In a statement, Fitbit said, ‘We are always looking for ways to strengthen
the security of our devices, and in the upcoming days will start rolling
out updates that improve device security, including ensuring encrypted
communications for trackers launched prior to Surge [summer 2016]. The
trust of our customers is paramount and we carefully design security
measures for new products, continuously monitor for new threats, and
diligently respond to identified issues.'

This is not the first time that Fitbit has been highlighted as a potential
hacking target. Researchers from cyber security firm Fortinet exposed a
vulnerability
<https://blog.fortinet.com/2015/10/23/responsible-disclosure-and-iot> in
the company's products in 2015 - although Fitbit rubbished the claims at
the time.

BMC Software's Paul Cant, VP EMEA, told V3:

"The rise in popularity of wearable devices has made them an obvious target
for hackers to capture personal and sensitive information. It is therefore
essential that organisations have a durable cyber security strategy in
place to ensure they are effectively equipped to deal with the ever-growing
and evolving digital threats.

"In order to mitigate the security risks of vulnerabilities - like those
that have been discovered in Fitbit devices - SecOps teams need to quickly
identify the flaws, prioritise them against other threats and fix them,
thus safeguarding customer and personal data from any future cyber
insurgency."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170918/9ec7d490/attachment.html>