Fitbit Hack: What Are the Lessons?Why Wearable Device Makers Need to Get Serious About Privacy
Hackers have reportedly gained access to the accounts of dozens of Fitbit wearable fitness device users.
See Also: 2016 State of Threat Intelligence Study
Cybercriminals allegedly used leaked email addresses and passwords from third-party sites to log into accounts of Fitbit wearable device users in December, according to a report from BuzzFeed.
Fitbit confirmed that once inside the accounts, the attackers changed details and attempted to defraud the company by ordering replacement items under the user's warranty, according to the BuzzFeed report. The attackers also reportedly had access to customer data, including GPS history, which shows where a person regularly runs or cycles, as well as data showing what time a person usually goes to sleep.
A Fitbit spokeswoman tells Information Security Media Group, "This is not a case of Fitbit emails or servers being hacked, and it would be inaccurate to state or imply otherwise. Our investigation found that the accounts were accessed by an unauthorized party using previously stolen or compromised credentials - email addresses and passwords - from other third-party sites unrelated to Fitbit."
The company took "immediate action to protect our users by resetting the passwords of affected users and prompting them to create new passwords," the spokeswoman says. "As a best practice, Fitbit recommends that our customers avoid reusing passwords associated with their email address or any other accounts, as this practice leaves them more vulnerable to this type of malicious behavior. It's also important to note that these types of account takeover attempts are now a routine issue for many popular online sites and part of doing business."
Taking Privacy Seriously
The incident shows why manufacturers of wearable devices, some of which may be used to gather data for healthcare purposes, "need to get serious about 'privacy by design' and provide security that is not so dependent on users," says security expert Stephen Cobb of IT security firm ESET.
"It is not acceptable to sell the general public on the idea of a device that harvests highly personal data and then put the burden on the general public to protect the data," he says. "The data should be secure and private by default, for any user, regardless of their technology skills. Companies that make wearables need a customer-friendly response plan in place for when something like this happens - and they should not assume it won't."
The Fitbit spokeswoman says customers using "Log in with Google" can make use of multi-factor authentication today. "We are also working on native multi-factor authentication for Fitbit.com accounts and plan to make this available later in 2016."
Cobb says the alleged breach "sounds like account passwords were guessed or brute-forced. The security of the compromised accounts may have been weakened by password re-use."
Hackers try username/password combinations harvested from prior attacks on different systems to see if they work on the target website, Cobb says. "While the devices were not hacked in this case, the highly personal nature of data generated by wearable devices creates the need for a secure ecosystem in which to use them; this implies security practices that go beyond the typical 'user name and password' authentication that websites employ to control access to user data," he says.
Cobb says the security and safety of any wearable device depends on how they work. "If they have to communicate with other systems in order to work, and those other systems cannot be appropriately secured, then the security of the device itself is a moot point," he says. "Users need to look at whether they can use the device with a different app, one that is more secure."
Protecting Consumer Data
The Fitbit hack demonstrates that the infrastructure required to support wearable technology is immature and not yet able to guarantee privacy, Cobb adds. "It is currently up to consumers to weigh the risks and realize that the burden of data protection is on them; they need to observe the rules of cyber hygiene," he says.
McMillan says that consumers should also be aware of additional risks that wearable devices may pose.
"Other security issues that FitBit users need to be aware of involve the devices themselves and their susceptibility to hack and or compromise," he says. "There have been issues identified by researchers that have found vulnerabilities with these wearable devices that could cause them to be compromised and then, in turn, compromise other devices that users use to connect to them to see data, like your laptop, for instance."