Fitbit allowed spyware on official app store – research

Exercise tracker firm tightens security controls to thwart social engineering-based attack

Attackers could potentially upload malicious apps to Fitbit's website, a researcher discovered

Miscreants had the ability to upload a malicious app containing spyware to Fitbit’s official website, a security researcher has discovered.

Fitbit markets fitness trackers which can monitor a users’ heart rate, calorie intake, and exercise sessions, among other data.

Its devices are compatible with a number of apps which can be downloaded from its official website and other app stores. Customers can also download watch faces.

Security researcher Kevin Breen from Immersive Labs revealed today how he was able to create a spyware-laden app and upload it to Fitbit’s official website, where it could be downloaded.

“I was able to write a piece of Fitbit spyware which could basically steal everything from location to personal body data, as well as being capable of connecting to company networks for a range of potentially malicious actions,” Breen told The Daily Swig.

“I was then able to upload it to a private section intended for developers on the Fitbit Gallery, which is where users come to get apps and watch faces. From here, I had no problem installing it on a single victim device.”

Read more of the latest Internet of Things security news

Breen claims he was able to upload the app onto the official domain without approval because private applications are only manually screened after they have been added.

“Anything being offered from a trusted domain such as this will subconsciously seem more legitimate to a potential target, increasing the chances of it being downloaded,” Breen said.

The researcher reported his findings to Fitbit, which said there is no evidence that any personal data has been compromised.

No evidence of compromise

A Fitbit spokesperson told The Daily Swig: “We are not aware of any actual compromise of user data.

“We have already implemented improvements to address the concerns, including adding a warning message to users before installing a private app and making it clear which installed apps and/or clock faces are private rather than part of our public gallery.

“It’s important to note that privately shared apps, which typically are used to enable developer testing, are not visible or searchable through the public Fitbit App Gallery.

“The Fitbit APIs for accessing data from Fitbit devices do not provide any personally identifiable location or metrics data.

“All apps submitted for publication to the public App Gallery are subject to Fitbit review, and all apps – whether submitted for private use or submitted for public availability in the App Gallery – must follow stated guidelines and terms to protect our users.

“We encourage consumers to only install applications from sources they know and trust and to be mindful of what data they’re sharing with third parties. We give our users control over what data they share and with whom.”


Breen was not eligible for a bug bounty payout as per Fitbit’s rules, which exclude reward what the vendor classifies as social engineering attacks.

The researcher told The Daily Swig that social engineering attacks should be taken more seriously by technology providers.

He said: “Social engineering is huge a key part of the attack process. While it is hard to put technical controls in place around people, there are ways to make the user aware of the risks before installing anything.

“Thankfully, Fitbit seems to have taken this seriously and have moved to put mitigations in place after reading the research.”

Fitbit added: “The trust of our customers is paramount, and we are committed to protecting consumer privacy and keeping data safe.

“We responded immediately when contacted by this researcher and worked quickly and collaboratively to address the concerns they raised.”

READ MORE Fitbit applies ‘multifaceted approach’ to cybersecurity

Source link

Recent articles

Blender 2.9 – Rolling Waves Looping Mograph Animation

Tom Latvys writes: In this tutorial, you'll learn how to create a looping mograph animation of some stylized rolling waves, using a few...

Sopra Steria Hit by New Ryuk Variant

French IT services giant Sopra Steria has said it will take weeks to return to normal after a serious ransomware attack forced key...

The Font of Misinformation and Lies at Trump Campaign Rallies

Thank you very — this is great. Hello. How are you? Thank you, everybody. Thank you very much. Thank you. Thank you. And...

RAAF F/A-18A ‘Classic’ Hornet makes final journey to museum | News

A Boeing F/A-18A ‘Classic’ Hornet formerly operated by the Royal Australian Air Force (RAAF) has made its way by road to the Australian...

Jack Ma is making history again with the Ant IPO, and getting even more wealthy while doing it

Financial tech company Ant Group's share sale in Hong Kong and Shanghai — the biggest in history — will catapult Ma to within...

Leave a reply

Please enter your comment!
Please enter your name here