Fitbit Spyware Steals Personal Data via Watch Face
Relaxed security and privacy practices at Fitbit has allowed for a vulnerability that compromises the device’s watch face and steals data. A researcher at Immersive Labs was able to expose a wide-open app-building API that could allow an attacker to build their own malicious application. This application could have the capability to access sensitive user data through Fitbit and forward it to any server. The proof-of-concept was released by Kev Breen, a cyber threat researcher at Immersive Labs. Breen discovered the bug once he released that Fitbit devices provided an attractive target to cyber attackers as they are full of sensitive data.
Information such as heart rate, weight, gender, age, height, location, and other valuable data could be of interest to cyber threat actors looking to exploit the vulnerability. Through the Fitbit application developer API, Breen reports that it was a simple process to create a malicious application and have the spyware approved through a Fitbit URL on fitbit.com. Although the malware was not available for public download, the link was still accessible in the public domain, free for anyone to use.