Researcher weighs in with heavy-duty IoT vulnerability in Fitbit scales
Project Zero researcher Tavis Ormandy found a vulnerability in Fitbit's Aria Wi-Fi Smart Scale that, if exploited, allows an attacker to trick the scale into synchronizing with a non-Fitbit server.
Vulnerabilities in Internet of Things (IoT) devices are a growing threat, but this one really tips the scales.
Wearable fitness tracker manufacturer Fitbit has acknowledged on its website that an April 2016 update to its Aria Wi-Fi Smart Scale, an Internet-connected bathroom scale, patched a critical security vulnerability that was discovered through Google's Project Zero initiative.
Ormandy didn't elaborate on the nature of the flaw, but The Register obtained a statement from Fitbit that said the scale “used a static transaction identifier for DNS requests, which could allow an attacker to trick the scale into synchronizing with a non-Fitbit server.” Fitbit said it is not aware of any security incidents related to the flaw.
“All users with an Aria Wi-Fi scale that is paired to an account, has recently synced to Fitbit, and has healthy batteries will automatically receive the firmware update,” the statement continued.