Immersive Labs director of cyber threat research Kevin Breen developed a proof-of-concept exploit for Fitbit devices after discovering malicious apps could be created using one of the Fitbit API’s. Creating this application could allow for a threat actor to access all personal information stored on a Fitbit. Some of this information includes device type, location and user information including gender, age, height, heart rate and weight. Kevin Breen was able to make the application available as a watch face that anyone could download via fitbit.com. Here’s what Breen had to say about making the app available, “Using a dashboard used by development teams to preview apps, I submitted our spyware and soon had our own URL at https://gallery.fitbit.com/details/<redacted>,” he explained. “Our spyware was now live on fitbit.com. It is important to note that while Fitbit doesn’t count this as ‘available for public download’, the link was still accessible in the public domain and our ‘malware’ was still downloadable.” A malicious feat like this could be scary due to it being modifiable, it gives it the chance to be able to pull much more information such as “everything from identifying and accessing routers, firewalls and other devices, to brute-forcing passwords and reading the company intranet – all from inside the app on the phone,” according to Breen.
Fitbit has advised its users that they are aware of this situation and have committed to clearing it up. They’ve already stated that they have made it easier to identify apps or watch faces that aren’t publicly listed for download. Fitbit says that any app submitted to the Fitbit gallery for public download will receive a manual review. This will reduce the chance that malicious content goes undetected. It is also recommended that users only download apps from trusted sources, no matter what IoT device is being used.