Even simple things in life, like using a Fitbit watch, can be turned into a hacking tool. While you are losing pounds, you could also be losing your personal, private and financial information. During these uncertain months of the pandemic, working out seemed like a harmless activity and a way to keep in shape. Red Sky Alliance wants to thank Becky Bracken for her report as follows:
An Immersive Labs Researcher took advantage of lax Fitbit privacy controls to build a malicious spyware watch face. A wide-open app-building API would allow an attacker to build a malicious application that could access Fitbit user data, and send it to any server. Kev Breen, director of cyber threat research for Immersive Labs, created a proof-of-concept for just that scenario, after realizing that Fitbit devices are loaded with sensitive personal data.
“Essentially, [the developer API] could send device type, location and user information including gender, age, height, heart rate and weight,” Breen explained. “It could also access calendar information. While this doesn’t include PII profile data, the calendar invites could expose additional information such as names and locations. ”Since all of this information is available via the Fitbit application developer API, it was a simple process to create an application to carry out the attack. Breen’s efforts resulted in a malicious watch face, which he was then able to make available through the Fitbit Gallery (where Fitbit showcases various third-party and in-house apps). Thus, the spyware appears legitimate, and increases the likelihood it would be downloaded.
“Using a dashboard used by development teams to preview apps, I submitted our spyware and soon had our own URL at https://gallery.fitbit.com/details/<redacted>,” he explained. “Our spyware was now live on fitbit.com. It is important to note that while Fitbit doesn’t count this as ‘available for public download’, the link was still accessible in the public domain and our ‘malware’ was still downloadable.”
Increasing the air of legitimacy, when the link was clicked on any mobile device, it opened inside the Fitbit app with “all thumbnails perfectly rendered as if it were a legitimate app,” Breen said. “From there, it was just a quick click to download and install, which I did with both Android and iPhone.”
Breen also found that Fitbit’s fetch API allows the use of HTTP to internal IP ranges, which he abused to turn the malicious watch face into a primitive network scanner. “With this functionality, our watch face could become a threat to the enterprise,” he said. “It could be used to do everything from identifying and accessing routers, firewalls and other devices, to brute-forcing passwords and reading the company intranet all from inside the app on the phone.”
After contacting Fitbit about the issues, Breen said the company was responsive and vowed to make the necessary changes to mitigate future breaches. “The trust of our customers is paramount, and we are committed to protecting consumer privacy and keeping data safe,” Fitbit told Threatpost, in a statement. “We responded immediately when contacted by this researcher and worked quickly and collaboratively to address the concerns they raised. We are not aware of any actual compromise of user data.”
Fitbit has added a warning message for users within the UI when installing an app from a private link, and it has made it easier for consumers to identify which installed apps/clocks on the mobile device are not publicly listed. Breen said that Fitbit also has committed to adjusting default permission settings during the authorization flow to being opted out by default.
As for the ease of uploading the malicious app to the gallery, “we were advised that apps submitted to the Fitbit Gallery for public download undergo manual review and that obvious spyware or applications masquerading as something else are likely to be caught and blocked from being published.”
However, Breen’s malicious watch face was still publicly accessible as of 09 October 2020. It has since removed. “We encourage consumers to only install applications from sources they know and trust and to be mindful of what data they’re sharing with third parties,” Fitbit concluded. “We give our users control over what data they share and with whom.”
Fitbit is not alone in representing an internet-of-things threat surface. The sheer exploding numbers of IoT devices coming online every day is making it hard for the security community to stay ahead of malicious actors. In September 2020, researchers realized the Mozi botnet peer-to-peer malware accounted for a full 90 percent of traffic on IoT devices. A Bluetooth spoofing bug was recently found to leave billions of devices vulnerable.
As the rest of the industry catches up, it is end users who need to be empowered to take precautions to protect their data.[1] Breen offers this advice; “if in doubt, don’t install it.”
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://threatpost.com/fitbit-personal-data-watch-face/160003/
Comments