Researcher weighs in with heavy-duty IoT vulnerability in Fitbit scales

Project Zero researcher Tavis Ormandy found a vulnerability in Fitbit's Aria Wi-Fi Smart Scale that, if exploited, allows an attacker to trick the scale into synchronizing with a non-Fitbit server.
Project Zero researcher Tavis Ormandy found a vulnerability in Fitbit's Aria Wi-Fi Smart Scale that, if exploited, allows an attacker to trick the scale into synchronizing with a non-Fitbit server.

Vulnerabilities in Internet of Things (IoT) devices are a growing threat, but this one really tips the scales.

Wearable fitness tracker manufacturer Fitbit has acknowledged on its website that an April 2016 update to its Aria Wi-Fi Smart Scale, an Internet-connected bathroom scale, patched a critical security vulnerability that was discovered through Google's Project Zero initiative.

Project Zero researcher Tavis Ormandy confirmed this announcement with his own post on Twitter, writing “Hahahah, I found a critical security issue in a bathroom scale.”

Ormandy didn't elaborate on the nature of the flaw, but The Register obtained a statement from Fitbit that said the scale “used a static transaction identifier for DNS requests, which could allow an attacker to trick the scale into synchronizing with a non-Fitbit server.” Fitbit said it is not aware of any security incidents related to the flaw.

“All users with an Aria Wi-Fi scale that is paired to an account, has recently synced to Fitbit, and has healthy batteries will automatically receive the firmware update,” the statement continued.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS