Industry Trends

Responsible Disclosure and IoT

By Derek Manky | October 23, 2015

Fortinet, like most members of the security community, understands that we’re entering uncharted territory as the Internet of Things becomes a mainstream phenomenon. To that end, Fortinet invests significant resources into threat intelligence and researchers who work every day to discover new vectors of attack and strategies for cyber infection before they can be deployed maliciously.

One such vector, discovered by Fortinet senior threat researcher, Axelle Apvrille, allows an attacker to inject unauthorized code onto a Fitbit band over a Bluetooth connection.  In a presentation recently delivered during the conference, Apvrille demonstrated the ability to send foreign code to a nearby Fitbit and have this code persist and be reflected in devices to which the Fitbit connects. This proof of concept is demonstrated in the video here:

In fact, there are three steps to seeing this go from “proof of concept” to a problem in the wild:

  1. Upload malicious code to any Fitbit wristband  in close range
  2. Automatically transmit the code from the Fitbit wristband to any computer that connects to it (via the Fitbit dongle)
  3. Have the code   be executed by the connected computer

Fortinet researchers demonstrated and verified steps 1 and 2. Step 3 would rely on exploiting a vulnerability in the computer to which the Fitbit wristband was synced, which was out of the scope of our research.

To date, we are not aware of an exploit that would enable this third step, nor did we actively look for one. However, we would caution against working under the assumption there is no such exploit possible, now or in the future.

This vulnerability in the Fitbit was first discovered in January of this year and the research was thoroughly vetted internally. Following responsible disclosure practices, we contacted Fitbit on February 13, notifying them of the security issue. Fitbit responded in March and Fortinet provided details to Fitbit to fix the vulnerability.

Responsible disclosure involves giving vendors sufficient time to fix vulnerabilities before they are disclosed publicly. This helps ensure that fixes are implemented before large numbers of bad actors are aware of the vulnerability and begin working in earnest to exploit it. At some point, though, it becomes important to disclose the fact that a vulnerability exists to promote awareness in the security community and enable other security vendors to develop defenses. This increases security for the community at large.

The Internet of Things has been driving a proliferation in the amount of connected devices. It is the responsibility of the threat research community to continue to research and expose these kinds vulnerabilities. Fortinet’s threat research teams are critical to this process and our goal of surfacing and defending customers against cyber threats.

Derek Manky, Global Security Strategist, Fortinet