SoylentNews is people
SoylentNews
Fitbit Spyware Steals Personal Data via Watch Face:
A wide-open app-building API would allow an attacker to build a malicious application that could access Fitbit user data, and send it to any server.
Kev Breen, director of cyber threat research for Immersive Labs, created a proof-of-concept for just that scenario, after realizing that Fitbit devices are loaded with sensitive personal data.
"Essentially, [the developer API] could send device type, location and user information including gender, age, height, heart rate and weight," Breen explained. "It could also access calendar information. While this doesn't include PII profile data, the calendar invites could expose additional information such as names and locations."
Since all of this information is available via the Fitbit application developer API, it was a simple process to create an application to carry out the attack. Breen's efforts resulted in a malicious watch face, which he was then able to make available through the Fitbit Gallery (where Fitbit showcases various third-party and in-house apps). Thus, the spyware appears legitimate, and increases the likelihood it would be downloaded.
[...] After contacting Fitbit about the issues, Breen said the company was responsive and vowed to make the necessary changes to mitigate future breaches.
"The trust of our customers is paramount, and we are committed to protecting consumer privacy and keeping data safe," Fitbit told Threatpost, in a statement. "We responded immediately when contacted by this researcher and worked quickly and collaboratively to address the concerns they raised. We are not aware of any actual compromise of user data."
(Score: 0) by Anonymous Coward on Saturday October 10 2020, @09:37PM (1 child)
The Chinese are going to find out 90% of Americans are obese.
(Score: 0) by Anonymous Coward on Saturday October 10 2020, @09:42PM
What you mean to say is that 95% of the combined weight of Americans is contributed by obese^Hfat bastards.
(Score: 1, Interesting) by Anonymous Coward on Saturday October 10 2020, @09:58PM (4 children)
In what dystopian nightmare of a world would you want a device like this to be internet connected? Dancing pigs, every time.
(Score: 1, Touché) by Anonymous Coward on Saturday October 10 2020, @10:53PM
The dystopian nightmare of a world where this is a thing:
https://soylentnews.org/article.pl?sid=20/10/07/0019212 [soylentnews.org]
(Score: 2) by Runaway1956 on Saturday October 10 2020, @10:56PM (2 children)
Forget the internet. I'm trying to figure out why anyone needs an electronic gadget to exercise. If you can't afford exercise equipment, I guess it would be OK to use some servers as weights. Make sure they are unplugged first, of course. Might want to crush them, so they are more compact. Put a couple bolts through a piece of pipe so you can put the servers off and on, swap them around between dumbbell pipes and bench press weights. You could save a little bit of preparation and setup time just benchpressing a mainframe.
Hail to the Nibbler in Chief.
(Score: 0) by Anonymous Coward on Saturday October 10 2020, @11:55PM
> I guess it would be OK to use some servers as weights.
Hello IT, send over some big iron - I've some heavy lifting to do.
(Score: 2) by FatPhil on Sunday October 11 2020, @10:27PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Sunday October 11 2020, @08:56AM (2 children)
I received a fitbit as a gift several years ago.
Upon charging the device, I found that I had to perform "set up" with the Android FitBit app.
This requires bluetooth (which is almost always off on my phone) and data from the fitbit is *not* stored on the smartphone.
Rather, when you "sync" with your phone, data is sent to fitbit's servers.
This includes:
distance moved/24 hours
heart rate *right now*
flights of stairs traversed/24 hours
estimated calories burned/24 hours
time spent sleeping (not displayed on the device, but can be inferred from multiple metrics)
and probably a few other things.
If you're interested enough in that sort of data (which many of us are), it would be great to be able to track that over time.
For me, sharing that sort of data with fitbit just wasn't going to happen.
As such, while I do use the device semi-regularly, I don't sync it with my phone, and as such can only have ~24 hours worth of data on the device itself.
I looked around a bunch to see if there were other mechanisms for exfiltrating the data to my own server, but I never found any.
Apparently, these folks figured a way to do this. That they use it to upload to *their* servers isn't a good thing, but it gives me hope that I may be able to do so without sharing sensitive information with fitbit.
(Score: 3, Insightful) by Rosco P. Coltrane on Sunday October 11 2020, @10:06AM (1 child)
Remember folks, Fitbit is Google [theverge.com] and Google is bad news for your privacy.
(Score: 0) by Anonymous Coward on Sunday October 11 2020, @10:26AM
Which is why I don't sync my fitbit with my phone.
As such, Google doesn't get my data.