13.1.16

What does the Fitbit case mean for wearables and IoT security?

By  , ESET

Wearable activity tracking devices like those made by Fitbit were one of the hottest gifts this past holiday season and it appears criminal hackers were paying attention. According to reports by Brian Krebs and Buzzfeed, some number of Fitbit accounts were recently discovered to have been compromised.

This is not a large-scale breach where the customer account database/server was compromised. In this case it sounds like individual account passwords were stolen, guessed, or brute-forced. Scammers can obtain compromised account credentials on the black market, sometimes from criminal hackers who have managed to infect computers with keylogging malware. Attackers can also try username/password combinations harvested from prior attacks on different systems to see if they work on the target website. Note that there is no indication that any of the account passwords were stolen from, or compromised by, Fitbit systems.

These particular scammers changed the information on the account as soon as they accessed it, thus preventing the real account holders from logging in. The scammers then used the hacked accounts to request new devices to replace “faulty” ones under warranty. Not surprisingly, the higher end devices were targeted.
As reported by Mr. Krebs, Fitbit’s cybersecurity team recently assigned risk levels to incoming requests. He quoted Fitbit’s CSO, Marc Bown as saying: “If we see an account that was used in a suspicious way or a large number of login requests for accounts coming from a small group of Internet addresses, we’ll lock the account and have the customer reconfirm specific information.” Not surprisingly, Fitbit has plans to introduce two-factor authentication to combat hijacking of Fitbit accounts via the company website.

“It is important to note that this was not a hack of the Fitbit devices themselves.”
It is important to note that this was not a hack of the Fitbit devices themselves, although there has been some of that (like this Fitbit malware attack reported last October but disputed by Fitbit). These warranty scammers did not hack the Fitbits but they demonstrated why people are concerned about the privacy of data generated by wearable devices, some of which is highly personal.
Clearly, activity trackers need a secure ecosystem in which to operate; that means above average security practices, like going above and beyond basic “username and password” authentication. The fact that Fitbit has only recently taken the defensive measures mentioned earlier suggests that the product line may not have been developed according to the principles of privacy by design (PbD).

Even though these warranty scam hacks were not device hacks, the security and safety of wearable devices, indeed, many consumer devices in the Internet of Things (IoT), can be said to depend on how securely they work with other systems. If a wearable has to communicate with other systems in order to work, and those other systems cannot be appropriately secured, then the security of the device itself is a moot point: to use it securely owners would need find different, more secure services with which to use the device.

All of which gets even more tricky when wearables blur the line between consumer device and 
medical device. If the benefits of this technology are to be fully realized, everyone involved in deploying it needs to get serious about PbD: a well-established set of principles intended to prevent this type of breach. According to PbD it is not really acceptable to sell the general public on the idea of a device that harvests highly personal data, some of it health data, and then put the burden on the general public to protect the data. The data should be secure and private by default, for any user, regardless of their technology skills.

As to what we as consumers can learn from this incident, we need to weigh the risks of using these devices and realize that at least some of the burden of protecting them is on us. We definitely need to observe the rules of cyber hygiene. Consider the following:
  • Before you buy a wearable or install a wearable app, Google its name together with the word hack, and also with the word fraud or scam. This will alert you to published problems and enable you to make a more informed purchasing decision.
  • Set up your wearable and any associated online accounts with an obscure user name and unique passwords, all of which should be hard to guess.
  • Read the privacy policy of any device and app you currently use or plan to use. Look closely at privacy assurances. Decide how serious you think the company is about protecting your data..
  • Be prepared not to use certain features or apps if you do not feel the provider is serious about security and could potentially expose sensitive information about you.
As for wearable vendors, the biggest lesson from this latest news might be: prepare your incident response plan so that you can react appropriately in the event of a data breach, however limited in scope it might be. Remember, folks who are likely to use fitness trackers are also likely to be active on social media. Word spreads fast when something goes wrong, and you want your words to be well chosen.

And also be prepared from more than consumer scrutiny if privacy issues do arise. The FTC and FDA are both watching this space closely. You can find more discussion on the subject of wearables and security here.

Fitbit statement:
“This is not a case of Fitbit emails or servers being hacked and it would be inaccurate to state or imply otherwise. Our investigation found that the accounts were accessed by an unauthorized party using previously stolen or compromised credentials (email addresses and passwords) from other third-party sites unrelated to Fitbit.

“We take the security of our customers’ accounts very seriously, and we took immediate action to protect our users by resetting the passwords of affected users and prompting them to create new passwords. As a best practice, Fitbit recommends that our customers avoid reusing passwords associated with their email address or any other accounts, as this practice leaves them more vulnerable to this type of malicious behavior. It’s also important to note that these types of account takeover attempts are now a routine issue for many popular online sites and part of doing business.”