Software Integrity Blog


Fitbit IoT bathroom scale hit with critical vulnerabilities

Users of Fitbit’s Aria internet-connected smart scales will need to install a firmware patch as a result of critical security flaws reported last week.

Google’s Project Zero researcher Tavis Ormandy disclosed “a static transaction identifier for DNS requests, which could allow an attacker to trick the scale into synchronizing with a non-Fitbit server,” according to a statement from Fitbit to The Register. The Aria also logs and transmits information on the user’s body fat percentage and body mass index (BMI) to Fitbit’s cloud and is then synced with the user’s online Fitbit profile. The flaw could send that data elsewhere.

The statement continued: “Although we are not aware of any security incidents related to these findings, as soon as Fitbit was informed of the potential issue, we worked on a solution to address it. We are pleased to report that a fix to this issue has been developed and released.”

Owners of the scales should automatically receive the update wirelessly within the next few days, though owners can also download the updates through the Fitbit dashboard tool.

Protect yourself from the IoT software security tidal wave.

More by this author