Do you know Fitbit?
It’s a tech company that develops health and fitness gadgets. And while the main product is made to track and measure your daily, physical activity (10,000 steps per day as a preset goal), this time, bad actors could have tracked their clients.
Cybercriminals could access Fitbit user data and send it to any server, thanks to its wide-open app-building app.
Is Fitbit Stealing Your Personal Data?
Besides step-tracking, Fitbit technology also provides heart-rate, GPS, and sleep tracking, combined with music storage, and Call + Text notification.
As you might guess, the company’s gadgets are connected to the user’s smartphones.
Here’s where the proof-of-concept scenario started, after Kev Breen (director of Cyber-threat research) realized that Fitbit devices are loaded with personal data.
“Essentially, [the developer API] could send device type, location, and user information including gender, age, height, heart rate, and weight.
It could also access calendar information. While this doesn’t include PII profile data, the calendar invites could expose additional information such as names and locations.”
All the information was in hackers’ hands. Only a simple process was needed to create an attacking carry-out application.
To keep the test rolling, Breen concluded with some type of malicious watch face (spyware) that could appear legitimate, increasing the likelihood of being downloaded.
After the link was clicked using a mobile device, the Fitbit app opened “perfectly rendered as if it were a legitimate app. From there, it was just a quick click to download and install, which he did with both Android and iPhone.”
Its legitimacy was indisputable.
Breen additionally found that Fitbit’s bring API permits the utilization of HTTP to inward IP ranges. He abused it to transform the watch face into a raw scanner.
“With this functionality, our watch face could become a threat to the enterprise. It could be used to do everything from identifying and accessing routers, firewalls, and other devices, to brute-forcing passwords and reading the company intranet – all from inside the app on the phone.”
Fitbit company was contacted about the issue. The company seemed to be responsive about this situation, vowing to make all necessary changes to mitigate privacy conflicts.
They (Fitbit company) also added a warning message within the UI to those who were installing the app through private links. The idea here is to make it easier for them to identify which apps in their smartphones aren’t yet listed on the public.
Of course, they also committed to adjusting the default permission settings throughout the authorization flow (to be opted-out by default).
And lastly, they touched upon the malicious gallery app uploads subject:
“We were advised that apps submitted to the Fitbit Gallery for public download undergo a manual review and that obvious spyware or applications masquerading as something else are likely to be caught and blocked from being published.”
“We encourage consumers to only install applications from sources they know and trust and to be mindful of what data they’re sharing with third parties. We give our users control over what data they share and with whom.”
Just to be clear, we don’t have any personal critic against the Fitbit company.
Today’s article intends to show that they aren’t alone in representing the issues surrounding internet-of-things devices.
This is just a threat that will keep growing more and more.
So you should now be more careful than you were before. Your business could be in danger unless you’re empowered to take the right precautions to protect your and your customer’s data.
As with the advice that Breen offers: “if in doubt, don’t install it.”
That applies to both the provider as the end-user.
Being said, is your business protected enough?