That’s what some hackers at the Hack.Lu conference in Luxembourg demonstrated last week with the FitBit. Using a man-in-the-middle attack, they intercept communication between the FitBit and FitBit servers. When the transaction is complete, the hacking software can insert it’s payload in the response, infecting the FitBit. When the FitBit is connected to its owner’s computer it can upload the infected software to the computer to infect it or other FitBits connecting to that computer.
The exploit was reported to FitBit in March, but they haven’t fixed it yet. Now that it’s out in public, you may want to wait to upload your workout results until you’re out of Bluetooth range of the fitness center… or just leave the device at home.
When we create Internet of Things devices, we really need to engineer in security and management into the device from the start – and just expect them to be hacker targets.