Exercise tracker firm tightens security controls to thwart social engineering-based attack

Attackers could potentially upload malicious apps to Fitbit's website, a researcher discovered

Miscreants had the ability to upload a malicious app containing spyware to Fitbit’s official website, a security researcher has discovered.

Fitbit markets fitness trackers which can monitor a users’ heart rate, calorie intake, and exercise sessions, among other data.

Its devices are compatible with a number of apps which can be downloaded from its official website and other app stores. Customers can also download watch faces.

Security researcher Kevin Breen from Immersive Labs revealed today how he was able to create a spyware-laden app and upload it to Fitbit’s official website, where it could be downloaded.

“I was able to write a piece of Fitbit spyware which could basically steal everything from location to personal body data, as well as being capable of connecting to company networks for a range of potentially malicious actions,” Breen told The Daily Swig.

“I was then able to upload it to a private section intended for developers on the Fitbit Gallery, which is where users come to get apps and watch faces. From here, I had no problem installing it on a single victim device.”

Read more of the latest Internet of Things security news

Breen claims he was able to upload the app onto the official domain without approval because private applications are only manually screened after they have been added.

“Anything being offered from a trusted domain such as this will subconsciously seem more legitimate to a potential target, increasing the chances of it being downloaded,” Breen said.

The researcher reported his findings to Fitbit, which said there is no evidence that any personal data has been compromised.

No evidence of compromise

A Fitbit spokesperson told The Daily Swig: “We are not aware of any actual compromise of user data.

“We have already implemented improvements to address the concerns, including adding a warning message to users before installing a private app and making it clear which installed apps and/or clock faces are private rather than part of our public gallery.

“It’s important to note that privately shared apps, which typically are used to enable developer testing, are not visible or searchable through the public Fitbit App Gallery.

“The Fitbit APIs for accessing data from Fitbit devices do not provide any personally identifiable location or metrics data.

“All apps submitted for publication to the public App Gallery are subject to Fitbit review, and all apps – whether submitted for private use or submitted for public availability in the App Gallery – must follow stated guidelines and terms to protect our users.

“We encourage consumers to only install applications from sources they know and trust and to be mindful of what data they’re sharing with third parties. We give our users control over what data they share and with whom.”


Breen was not eligible for a bug bounty payout as per Fitbit’s rules, which exclude reward what the vendor classifies as social engineering attacks.

The researcher told The Daily Swig that social engineering attacks should be taken more seriously by technology providers.

He said: “Social engineering is huge a key part of the attack process. While it is hard to put technical controls in place around people, there are ways to make the user aware of the risks before installing anything.

“Thankfully, Fitbit seems to have taken this seriously and have moved to put mitigations in place after reading the research.”

Fitbit added: “The trust of our customers is paramount, and we are committed to protecting consumer privacy and keeping data safe.

“We responded immediately when contacted by this researcher and worked quickly and collaboratively to address the concerns they raised.”

READ MORE Fitbit applies ‘multifaceted approach’ to cybersecurity