Syncing an infected Fitbit could be a security risk, says analyst, but Fitbit’s not worried

Andy Boxall

Fitness trackers like the Fitbit are great for reaching personal fitness goals and monitoring progress, but the technology inside of them has the potential to do a lot more than that — it could one day save your life.

A 42-year-old man from New Jersey was recently rushed to the hospital after suffering a seizure, where doctors found that the man had an irregular and fast heartbeat. Only problem was, they weren’t sure if this was a chronic condition or something he was experiencing due to the seizure.

Related: Fitbit wearer’s heart rate drops after breakup

That’s when the doctors treating him noticed he was wearing a Fitbit Charge HR. Normally doctors wouldn’t have information about what the patient was experiencing immediately before a seizure, but the Fitbit helped eliminate a lot of those unknowns. Using the data, doctors detected that the man had in fact been experiencing the irregular heartbeat leading up to the seizure, after which they decided to perform an electrocardioversion to help return the heart to its normal heartbeat.

“Using the patient’s activity tracker — in this case, a Fitbit — we were able to pinpoint exactly when the patient’s normal heart rate of 70 jumped up to 190,” said Dr. Alfred Sacchetti from the Our Lady of Lourdes Medical Center in Camden, NJ, in a statement.

Related Offer: The latest from Fitbit, see the Alta here

This is the first documented case of doctors using a fitness tracker to help diagnose a patient, and it most likely will not be the last. Not all fitness trackers have heart rate monitors, but the vast majority of them do, and the feature could become key in treating heart-related medical issues. Sure, Fitbit’s aren’t technically classified as medical devices as the data they collect isn’t as accurate as a true medical device, but the information they and other fitness trackers provide could still be invaluable in helping save someone’s life.

The Fitbit has been used to detect a range of different changes in heart rate — recently a woman found out she was pregnant after seeing changes in her heart rate and Googling what could be causing them.

Also watch: Why Sony’s Xperia Phones Keep Failing in the U.S.
Please enable Javascript to watch this video

A researcher for security company Fortinet has revealed the Fitbit fitness tracker may be used as a vessel to infect your computer with malware, due to vulnerabilities in the way it uses Bluetooth. However, before wearers get too paranoid, the demonstration is only proof that it could happen, rather than something that is happening, and Fitbit has said it hasn’t seen any conclusive data that its wearable could be used this way.

Updated on 10-23-2015 by Andy Boxall: Added in a statement from Fitbit, highlighting the hack was a “theoretical scenario.”

Fitbit issues statement on hack

Following the publication of the story, Fitbit got in touch with Digital Trends and provided the following statement. Here’s the official line on the situation:

“On Wednesday October 21, 2015, reports began circulating in the media based on claims from security vendor, Fortinet, that Fitbit devices could be used to distribute malware. These reports are false. In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible. Fitbit trackers cannot be used to infect user’s devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required.

As background, Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is possible to use a tracker to distribute malware.

We have a history of working closely with the security research community and always welcome their thoughts and feedback. The trust of our customers is paramount. We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues.”

Proof of concept hack demonstrated

Related: FTC warns how companies could use the data collected from wearables and smart devices

What prompted Fitbit to start reassuring its customers? It began when Fortinet analyst, Axelle Apvrille, showed evidence that a hacker within a few meters of a Fitbit device could exploit open Bluetooth ports to place an infected packet on to it, which would transfer to a computer upon syncing later.

It was suggested this could be used to install a trojan or backdoor, and lead to serious problems. The file hidden in the Fitbit would remain even if the device was restarted, and could be sent to it in just 10-seconds, so it could happen when you’re passing someone in the street. There’s a video of the exploit in action here, if you’re interested in the technical side.

However, while the exploit sounds concerning, it’s not something that’s in the hands of criminals, and still requires executing on the host device — something that can’t be done automatically. Apvrille also said she alerted Fitbit to the problem back in March, but says the vulnerabilities are still there today, because the company considers it a low-level bug that will be fixed in the future.