Wearable Technology, Just as Susceptible to Account Compromise

18 Jan
Industry, News

Certain Fitbit accounts have been recently reported as compromised. IT security blogging guru, Brian Krebs reached out to Fitbit CSO, Marc Brown, who has confirmed that it is not a massive breach of account databases, but rather stolen individual account passwords. [i]

The wearable, wireless-enabled, activity tracking company Fitbit, recently discovered that the attack was a result of two sources; hacked information coming from password-stealing malware, and data being hacked from customers who continue to use the same username/password combinations across various online sites. Once these hackers are logged into the accounts, they change all associated passwords and block the actual account holder from logging in. With control of these accounts, the hackers then send in requests to Fitbit looking for new devices, claiming the need to replace faulty ones. [ii]

Attackers are targeting premium devices, such as the Surge, that retails for $250, for warranty fraud.

image002

Fitbit is considering implementing a 2-factor authentication process to help overcome account hijacking. This would involve the company sending a one-time code to an account holder’s mobile device that would require it to be inputted in conjunction with their username and password, [i] much like you see when using online banking.

The fundamental point to be taken away, was that this was not a widespread hack of the physical wearable devices themselves, but rather an attack on consumer accounts. It’s common knowledge that most wearables require programs that are run through various systems other than the owning company, this typically enhances the overall customer satisfaction. If these other systems are not secured properly, then the wearables security is a disputable point.

What consumers and anyone who has ever used a password needs to take away from this is that the risk of using these devices and how to best protect them, inevitably falls on the consumer to an extent.

  • Be informed about your purchasing decisions. Search online for the device and any relevant apps, read reviews to see if there have been any previous vulnerabilities or reported hacks.
  • Ensure you are setting up SECURE user names and passwords. Create new and various user names and complex passwords for each account separately and change them frequently. This diminishes the risk of potential data hacks. Check out this blog of best practices for helping you to come up with secure usernames and passwords
  • Investigate how serious the company is in regards to protecting your data. TIP: If they aren’t taking the necessary steps to protect their own data, they probably aren’t worried about yours! Go over all the privacy policies (yes, they can be long, but it’s important!) of any device or connected app.

If you feel the company is not serious enough about your data security consider other devices, or chose not to use certain apps. The potential for your personal information to be exposed is not worth the risk.

 

Please connect with Secure Sense on LinkedIn, follow us on Twitter @Securesense and on Google+ for current company and industry news.

[i] To read more on Kreb’s talk with Fitbit read here:
http://krebsonsecurity.com/2016/01/account-takeovers-fueling-warranty-fraud/#more-33510

[ii] More from ESET’s blog:
http://www.welivesecurity.com/2016/01/12/fitbit-hacking-mean-wearables-iot/