Fitness trackers, only in their first generation have already become very popular and a researcher at Kaspersky has discovered ways to break their security. The authentication method implemented in several popular fitness trackers allows a third-party to connect invisibly to the device leading to data collection and command execution.
"This Proof of Concept depends on a lot of conditions for it to work properly, and in the end an attacker wouldn't be able to collect really critical data like passwords or credit card numbers. However it proves that there is a way for an attacker to exploit mistakes left unpatched by the device developers. The fitness trackers currently available are still fairly dumb, capable of counting steps and following sleep cycles, but little more than that. But the second generation of such devices is almost here, and they will be able to gather much more information about users. It is important to think about the security of these devices now, and ensure that there is proper protection for how the tracker interacts with the smartphone," - said Roman Unuchek, Senior Malware Analyst at Kaspersky Lab.
Read more about the research performed by Roman Unuchek in his article on Securelist.com