Vulnerabilities in Internet of Things (IoT) devices are a growing threat, but this one really tips the scales.
Wearable fitness tracker manufacturer Fitbit has acknowledged on its website that an April 2016 update to its Aria Wi-Fi Smart Scale, an Internet-connected bathroom scale, patched a critical security vulnerability that was discovered through Google's Project Zero initiative.
Project Zero researcher Tavis Ormandy confirmed this announcement with his own post on Twitter, writing “Hahahah, I found a critical security issue in a bathroom scale.”
Ormandy didn't elaborate on the nature of the flaw, but The Register obtained a statement from Fitbit that said the scale “used a static transaction identifier for DNS requests, which could allow an attacker to trick the scale into synchronizing with a non-Fitbit server.” Fitbit said it is not aware of any security incidents related to the flaw.
“All users with an Aria Wi-Fi scale that is paired to an account, has recently synced to Fitbit, and has healthy batteries will automatically receive the firmware update,” the statement continued.
