Fitbit on security


post updated with official response from Fitbit

I contacted Fitbit Support to ask them about this article, describing security vulnerabilities in the bluetooth radio of the wearable Fitbit devices. I'd sent it through their website, so I don't have the exact text, but it was something like:

Do you have any information for Fitbit users in response to the Engaget article? (with a link to the article)

Their support team responded later that day with this:

Thank you for calling our attention to Engadget's article.

We have clip and wristband trackers, both trackers type when are worn according to instructions are secure, pegs of the clasps should have gotten through the wristband base, in order to do this, we suggest to our customers, to press both sides of each peg with a plastic card.

However, a fall or a sudden pressure on your wrist may make the clasp accidentally unlatches

In order to add safety to the Flex clasps, there are gadget for sale through online retailers "safety rings" are called, that provide extra strength in case of accident.

How all wearable products, when possible we suggest replacing wristbands, in case they feel "loose" to the clasp pegs.

Any further question, please let us know, we are glad to assist you.

So. Um. The solution to an unsecured bluetooth radio is to make really sure that the clasp on the wristband is properly fastened. Problem solved.

Update: 2015-10-13 Fitbit has posted a statement:

On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher who originally made these claims, Axelle Apvrille, has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user's devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we've maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit's products or online services to security@fitbit.com. More information about reporting security issues can be found online at https://www.fitbit.com/security.

comments powered by Disqus