BreachExchange mailing list archives
Fitbit hack bypasses end-to-end encryption
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Mon, 18 Sep 2017 20:52:33 -0500
https://www.v3.co.uk/v3-uk/news/3017436/fitbit-hack-bypasses-end-to-end-encryption The Daily Telegraph reports that Fitbit smart bands are vulnerable to hackers, with researchers having uncovering a way to steal personal details from wearers. A team at the University of Edinburgh found that it is possible to intercept messages from the Fitbit One and Fitbit Flex bands, accessing personal data as it is sent to Fitbit's servers for analysis. Data intercepted in this way can be stolen or changed. The most concerning aspect of this method is that Fitbit's end-to-end encryption - which scrambles information so that it can only be deciphered at its destination - provides no protection against the hack. Both the Fitbit One and Fitbit Flex were modified to bypass encryption and access stored information. Fitbit says that it has updated its software to fix the security issue. Dr Paul Patras of the University said, "Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology." He praised Fitbit's fast response to the problem. In a statement, Fitbit said, ‘We are always looking for ways to strengthen the security of our devices, and in the upcoming days will start rolling out updates that improve device security, including ensuring encrypted communications for trackers launched prior to Surge [summer 2016]. The trust of our customers is paramount and we carefully design security measures for new products, continuously monitor for new threats, and diligently respond to identified issues.' This is not the first time that Fitbit has been highlighted as a potential hacking target. Researchers from cyber security firm Fortinet exposed a vulnerability <https://blog.fortinet.com/2015/10/23/responsible-disclosure-and-iot> in the company's products in 2015 - although Fitbit rubbished the claims at the time. BMC Software's Paul Cant, VP EMEA, told V3: "The rise in popularity of wearable devices has made them an obvious target for hackers to capture personal and sensitive information. It is therefore essential that organisations have a durable cyber security strategy in place to ensure they are effectively equipped to deal with the ever-growing and evolving digital threats. "In order to mitigate the security risks of vulnerabilities - like those that have been discovered in Fitbit devices - SecOps teams need to quickly identify the flaws, prioritise them against other threats and fix them, thus safeguarding customer and personal data from any future cyber insurgency."
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Fitbit hack bypasses end-to-end encryption Inga Goddijn (Sep 19)