Recently, researchers revealed that hackers can bypass the protection of the app store to launch the Fitbit spyware. Read on to know more…
The fitness industry is facing constant cyberattacks and it is adding bigger challenges to the situation. In addition to this, the use of technology is becoming a double-edged sword for the industry, leaving several loopholes for users to fall into. A vulnerable server or software is enough to make room for cybercriminal to compromise an entire organization.
Recently, a researcher claimed to upload a spyware-laden app to Fitbit’s official site and made it readily available for download by online visitors. In simple term, it means hackers can bypass the protection of the app store to launch the Fitbit spyware that steals the data from Watch’s face.
Technicalities
The security researcher at Immersive Labs was able to expose a wide-open app-building API that could allow an attacker to build their own malicious application. This application could have the capability to access sensitive user data through Fitbit and forward it to any server. The proof-of-concept was released by Kev Breen, a cyber threat researcher at Immersive Labs. Breen discovered the bug once he released that Fitbit devices provided an attractive target to cyber attackers as they are full of sensitive data.
The researcher created a malicious watch face, using app-building APIs, that could steal personal sensitive data stored in Fitbit devices. Lax Fitbit privacy controls let the researcher push this app to the Fitbit Gallery – Fitbit’s app store that showcases all their in-house and third-party apps; hence bypassed detection. A simple download and install of this application by the end-user could infect the device (Android and iPhone) and steal data.
Crucial Health Parameters
Crucial information such as heart rate, weight, gender, age, height, location, and other valuable data could be of interest to cyber threat actors looking to exploit the vulnerability. Through the Fitbit application developer API, Breen reports that it was a simple process to create a malicious application and have the spyware approved through a Fitbit URL on fitbit.com. Although the malware was not available for public download, the link was still accessible in the public domain, free for anyone to use.
Challenges for Industry
Rapid digitization and dependence on technology opened new avenues for attack-surface. The sports and fitness industry is becoming a soft target for cybercriminals as it does not have any clear security guidelines for protection against cyberattacks.
According to an ESET report, malware attacks may continue to target fitness and sports data as it opens new ways for cybercriminals to pressure businesses into paying up ransoms. The Garmin cyber incident should be an eye opener for the industry players. In addition, the report indicates that besides locking out the data or devices for ransom, cybercriminals may further attempt to steal the data to sell it on underground forums.
According to experts, organizations must understand the importance of protecting sensitive information and have a proper response plan to recover quickly from such attacks.
Mitigation
Fitbit recommended few security measures to all its users and here they are
• Fitbit recommends all the users to only install applications from authorized sources only.
• Users should know and trust and have a proper mindful thought of the data they’re sharing with third parties.
• Stop using any third-party stores.
Moreover, Fitbit said that they believe that the trust of our customers is paramount, and they are committed to protect and guard the consumer privacy and preserving the data safe.