back to article It's 2016 and now your internet-connected bathroom scales can be hacked

Owners of Fitbit's Aria internet-connected smart scales are being advised to install a firmware patch following the discovery of critical security flaws. Tavis Ormandy of Google's Project Zero was credited with finding the vulnerabilities in the Wi-Fi cyber-scales. While Fitbit isn't providing specific details on the nature of …

  1. Anonymous Coward
    Anonymous Coward

    Am I the only one thinking it's a good job we don't have ipv6 yet?

    1. Anonymous Coward
      Anonymous Coward

      Some of us have it already. It's nice, since there's far less trash on it yet, like port scans, DDOS and ... your mum.

      1. Anonymous Coward
        Anonymous Coward

        How do you know my mum isn't on it? Maybe she even got allocated an ipv8 or ipv16 address location. You just don't know.

        Mums

      2. Aodhhan Bronze badge

        You're delusional if you think hackers aren't scouring and sniffing IPv6. You might find this hard to believe, but the lack of use actually make it a lot easier. Also, there are a lot of vulnerabilities which aren't being addressed, so it's open season if you don't shut down this service.

  2. Jeroen Braamhaar

    Insecure Default Internet Of Things - also identifies what you ought to think of people promoting it :)

  3. Hans 1 Silver badge
    Happy

    I was in a shop for some scales, the cheapest I could find (no, I do not really need precision) were Bluetooth-enabled scales .... they work without, but you can hook-up your mobe to send your data to a cloud ...

    We do not really care about BMI or whatever, we just wanted scales to weigh the kids ... needless to say, Bluetooth has been turned off on the device ... there is no option, I disconnected the antenna.

    Why people share information like this with commercial companies is beyond me ... the porkies will get contacted by weight watchers or slimfast in no time, for the "one month free special deal" ...

    My BMI is below 20 and I do not really care, it has been like that for over two decades and I am as fit as a fiddle.

    Never, EVER, put your WIFI password into these devices. Hello, anybody in ?

    1. Andy Non
      FAIL

      I made the mistake of buying some overly-fangled Tefal scales a while back, they were all that were left in the shop. They were annoying as hell. All I wanted to know was my weight, but you had to step on them then off and back on again to turn them on; then if I had just got on them after my wife they dutifully informed me the difference in our weights and displayed a graph of the changes in "my" weight. To make matters worse the batteries only lasted a month or so. Ended up throwing them away after only a few months and buying some cheap spring based scales. At least they did what scales are supposed to do. The more technology they put in these things, often the worse and more unusable they become.

      1. herman Silver badge

        The onle problem I see with your networked scale is that it failed to wish you a nice day, play relaxing elevator music and remind you where your towel is.

        1. Mpeler
          Paris Hilton

          Life, The Universe, and the Internet of Things...

          Thank you for making a humble scale very happy.....

    2. a_yank_lurker Silver badge

      @Hans 1 - It looks like a Wally World run or check Amazon. Given the Wally World clientele is generally not interested in IoT and Amazon seems to carry about everything one might find a basic scale with no connectivity.

      I HATE IoT, imbecilic marketing featuritis that has almost no real benefit except to fleece one of their hard-earned money

    3. Warm Braw Silver badge

      we just wanted scales to weigh the kids

      Do you have too many to count?

      1. Ledswinger Silver badge

        "we just wanted scales to weigh the kids"

        Do you have too many to count?

        I doubt it. At 45 minutes plus 20 minutes per pound he'll need to know their weight.

        1. Destroy All Monsters Silver badge
          Terminator

          A complimentary victory scale awaits you in your bathroom

          The onle problem I see with your networked scale is that it failed to wish you a nice day, play relaxing elevator music WHILE BRIEFLY ITEMIZING THE GOVERNMENTAL BRILLIANT IDEAS OF TODAY and remind you where your PLACE is.

  4. Anonymous Coward
    Anonymous Coward

    If I were married to you, I'd make your scales say "It's safe to keep eating".

    If I were married to you, I'd follow the advice.

  5. moiety

    Hack it to say "One at a time please" or "No coach parties"

    1. Anonymous Coward
      Anonymous Coward

      I still like the idea of hacking cash machines to giggle ☺

    2. Captain DaFt

      -Hack it to say "One at a time please" or "No coach parties"-

      Try - "You are large, grey, and fond of peanuts."

      1. Michael H.F. Wilkinson Silver badge
        Happy

        Or simply: "Ook!"

        Darn, no UU librarian icon

        1. moiety

          "Please remove at least two palettes from your load and check your axles for damage"

          "Contact CERN - we've found the missing mass"

          "AAARGH! Gerroff! That's not in my contract"

      2. Anonymous Coward
        Anonymous Coward

        Unless

        you live in Denmark!!

        As everyone knows, there are no large grey elephants in Denmark.

  6. nilfs2
    Childcatcher

    Imagine if a hacker hacks my internet connected refrigerator and orders dairy milk instead of almond milk to the supermarket, that would be terrible!

    1. razorfishsl

      Yes... dummy, Imagine a hacker attacks your refrigerator,

      Then uses it as a remote system with updated firmware to attack the other devices in your hovel.

      Maybe your banking browser or router, then leverages your systems from inside your "fire walled" router, maybe goes on to attack some government systems or banking infrastructure from your IP address... and for a laugh downloads some kiddie porn onto your systems.

      What's that dummy, no AV software for your appliances...?

      I have some very interesting work going regarding TV boxes, and before that USB sticks

      but then again ... so do the Chinese.....

  7. Rol Silver badge

    The Force, with you, it is. marketing force, that is.

    "Hey Dave, how's things? I'm off to the jobcentre and thought I'd pop in on the way for a coffee"

    "DID SOMEONE MENTION COFFEE?"

    "What's that?"

    "Oh, it's my new coffee maker, it was the cheapest I could get, but it seems part of the price is it will shout advertising crap at me while making the coffee"

    "DO YOU NEED A BREAK, I HAVE MILLIONS OF GETAWAY DEALS, ALL AT AFFORDABLE PRICES"

    "Wow, both amazing and annoying"

    "Mmm"

    "Tastes ok though, just gonna use your loo.....Hey a new toilet as well"

    "BUY RAPIDO BLEACH, KILLS EVERYTHING RAPID LIKE"

    "You've got to be joking, another cheapest you could find?"

    "Yes, I think I've learnt my lesson"

    "Any other remarkably cheap, yet annoying new things?"

    "Well, I got this Chrome Book laptop thingy, but it seems fine..............

    1. Anonymous Coward
      Anonymous Coward

      Re: The Force, with you, it is. marketing force, that is.

      It's not just cheap stuff that behaves like this.

      As anyone who had to put up with a Panasonic TV with adverts in the programme guide will confirm.

  8. DougS Silver badge
    Trollface

    What's the worst that could happen?

    Hackers make you think your diet isn't working by add a pound a month to the reading?

    Come to think of it, that would be kind of funny if someone did that!

    1. Ledswinger Silver badge

      Re: What's the worst that could happen?

      What's the worst that could happen?

      That is the most dangerous phrase in the English language. I'd guess it was probably what the inventors of the atomic bomb said before the first test, when they thought they'd just get a modestly big bang and a crater 100 feet across.

      1. Destroy All Monsters Silver badge

        Re: What's the worst that could happen?

        Well, for the H bomb that was some fear that it could ignite the atmosphere. They did some calculations, then proceeded anyway. That took BALLS!

        1. Voyna i Mor Silver badge

          Re: What's the worst that could happen?

          "Well, for the H bomb that was some fear that it could ignite the atmosphere. They did some calculations, then proceeded anyway. That took BALLS!"

          I would say it took insane, sociopathic shortsightedness - and the Castle Bravo detonation proved that to be the case. The story of H-bomb development is one of people who shouldn't have been allowed to play with a box of matches in a sprinkler factory.

  9. redpawn Silver badge

    Toothbrush next

    This is a great idea. Insurers will love having more data. Your tooth brush could send brushing time and dietary info to the scale to be forwarded to your insurance company. Remember to check regularly for security updates for all your door knobs, scales, light bulbs paperweights etc. You wouldn't want to mis out on all the great new features.

    1. billse10

      Re: Toothbrush next

      "Insurers will love having more data" - but there's one thing they'll love far, far more.

      "Remember to check regularly for security updates for all your door knobs" ... wait, you didn't have the latest security patch installed on your door knobs when they broke in? Oh, but as that's a breach of your insurance policy, we won't be able to pay out. The policy clearly states you are required to install the very latest update within five minutes of release, regardless of what the patch is or does - look, it's here, in the footnote on page 94 - so it's actually your fault we can't pay you.

      1. Anonymous Coward
        Anonymous Coward

        Re:, it's here, in the footnote on page 94

        on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard'

        https://www.youtube.com/watch?v=HNmIQX_ImgM&feature=youtu.be&t=75

    2. Ken Hagan Gold badge

      Re: Toothbrush next

      Then ... "wearables" (single use).

  10. Mark 85 Silver badge

    The Race to the Stupid Level is on....

    Dare I ask.... could there possibly anything more stupid than an internet connected scale.. besides a light bulb, that is? Ok.. add coffee pot, refrigerator, power drill, kitchen mixer, and the toilet (loo). Now can there be anything more useless than these that we can connect?

    I guess if I were a miscreant, I'd want these things in everyone else's home and office, though.

  11. Sgt_Oddball Silver badge

    only another....

    2 centuries until we have such things as the talkie toaster....and I do not want a muffin.

    1. Anonymous Coward
      Anonymous Coward

      Re: only another....

      Ah, a waffle man.

      1. Ledswinger Silver badge

        Re: only another....

        Ah, a waffle man.

        No, he's here

        1. Anonymous Coward
          Anonymous Coward

          Re: only another....

          ...he's here

          More like scrambled egg, I think.

  12. Steve Davies 3 Silver badge
    Facepalm

    IoT - Idiots or Twats. You choose

    IOT is also a solution waiting for a question

    Why?

    Why?

    why?

    would anyone connect a [insert IoT device type/name here] to the internet?

    What benefit to humanity is it?

    I do know that I will never connect any domestic appliance to the Internet.

    Nowt more to be said really

    1. King Jack

      Re: IoT - Idiots or Twats. You choose

      Governments and snoopers want it. They will know instantly how many people are in your home. What they are talking about, etc. And the gen pop will welcome this and be happy paying for it.

      1. Steve Davies 3 Silver badge

        Re: IoT - Idiots or Twats. You choose

        The Ad-slingers will be more interested in your data than the Government.

        Suddenly your TV shows an Ad for nappies. A few seconds before your granddaughter told you that she was expecting (then in a quiet voice,) a present for her other half to be delivered to your home.

        She's not pregnant but the dumb IoT think interpreted it all wrong.

        Who do you sue when because of some ad slinging mistake a marriage/relationship ends?

        Come on now all those in favour of this crap please tell us this?

        Crap, pure and simple IMHO.

        GTFO of my lawn.

        1. VinceH Silver badge

          Re: IoT - Idiots or Twats. You choose

          I'm starting to realise that lots of people seem to have cheap rubbish routers that can't cope with many connected devices.

          With luck, it'll people in that situation that will be first in line for idIOT / iOUT crap, and will think the devices are faulty when it's really their router that isn't coping - and the result is that word of mouth then kills this rubbish before it gets a chance to take off.

  13. Michael H.F. Wilkinson Silver badge
    Happy

    I think you ought to know I'm feeling very depressed

    Here's another of those self-satisfied doors. I can tell it's going to open by the intolerable air of smugness it suddenly generates

    1. Destroy All Monsters Silver badge

      Re: I think you ought to know I'm feeling very depressed

      Admit it, you have been reading Philip K. Dick again!

      1. Captain Badmouth

        Re: I think you ought to know I'm feeling very depressed

        "Admit it, you have been reading Philip K. Dick again!"

        Douglas Adams, shirley?

  14. Tom 7 Silver badge

    I have just realised I now love the IOT despite its pointlessness.

    I just remembered a Bob Monkhouse story of when he was in lodgings during fuel rationing and one of his fellow lodgers had a 2CV and kept going on about how fuel efficient it was (in those days it was very efficient) and for a couple of months Monkhouse crept out at night and poured some of his petrol ration into the guys car until his expounding of its fuel efficiency reached epic levels at which point he reversed the procedure.

    I think I am going to enjoy this broken branch of technological evolution.

    1. Ledswinger Silver badge

      Re: I have just realised I now love the IOT despite its pointlessness.

      this broken branch of technological evolution

      If only it were, mate! The Internet of tat is going to be shoved down our throats with a rough and shitty stick. Sooner of later most domestic routers will be configured to allow IoT devices unauthenticated access (in the name of "ease of use"), and everything we buy will be "cloud enabled".

      For the technically literate there will be solutions to this dystopian future, but for the masses.....

  15. Captain Badmouth

    Music Hall reference

    Don't put your daughter on the scales Mrs Worthington....

    1. Commswonk Silver badge

      Re: Music Hall reference

      Isn't that a bit.. sort of... Cowardly?

      1. Captain Badmouth
        Headmaster

        Re: Music Hall reference

        Know-all. :)

  16. Captain Badmouth
    FAIL

    Foresight

    I'm sure if they'd had any idea this might happen they would never have named the company FITBITS.

  17. Commswonk Silver badge

    What if...

    With my PC being fully 3' from the router I use an Ethernet connection and my wifi capability remains "off", or it would if "off" was an allowable state; actually I have it set to be functional for as short a time as possible during the wee small hours.

    However I know from those occasions when I use the laptop at home (also "wired") that it can see usable signals from neighbour's wifi equipment.

    I wonder what fun will arise if I accidently* bring IoT enabled items into Maison Commswonk and it affiliates with someone else's wifi and sends back all sort of data about "me" when in fact it will appear to be sending back all sorts of data about "them".

    * I certainly won't do it by choice.

    1. Captain Badmouth
      Windows

      Re: What if...

      This is the real problem with IOT, even if you ban the things (assuming you've bought one of them) from accessing your network how easy is it for them to phone home via someone else's shitty un-protected setup?

      I need a drink, and Hinterland has just started on BBC4.

      1. Commswonk Silver badge

        Re: What if...

        Perhaps there is a solution to be found in subverting the whole process rather than trying to prevent it.

        If the detail of the data sent back to IoT central can be determined then sending back manifestly absurd information becomes almost trivial.

        How many bits of toast did that house consume this morning? How heavy is that family?

        Let the games begin...

        1. Destroy All Monsters Silver badge

          Re: What if...

          There will be a law against that in a jiffie!

  18. allthecoolshortnamesweretaken Silver badge

    "The future's now, but it's all going wrong..." - The The

  19. Electric Panda

    More pointless IoT cloudy bollocks, what a world we live in where just about everything is "smart" (an oxymoron if ever I saw it) and connected to the net for the hell of it. Pure gimmickry with a security model worthy of the year 2000.

    Call me old fashioned, but I still use a notepad and pen to keep track of things like my weight.

    1. Voyna i Mor Silver badge

      "Call me old fashioned, but I still use a notepad and pen to keep track of things like my weight."

      How does that work exactly? Do you place a carefully measured inkblot on the notepad, stand on it and measure the size of the resulting patch?

      Once you realise that a measuring device based on strain gauges is ultimately easier to make and has a longer reliable life than something using calibrated springs and gears, and that the electronics to measure the output of the strain gauges benefits from a microprocessor, you might just as well do something with the spare ROM and RAM.

      Storing the data in "the cloud" no, the option to keep it local should be there. But there's nothing wrong with finding a use for a little surplus compute power, and using it to keep track of things seems pretty obvious.

  20. Anonymous Coward
    Anonymous Coward

    I had these scales and got hacked...

    Is what I told the judge: the Russians or the Chinese or someone hacked my scales, and that immediately changed my weight, so my trousers got too tight, so my button popped when I stood up on a crowded train, so my trousers fell down, and due to an unfortunate series of domestic inefficiencies at home I'd washed no underwear, so for hygiene purposes I was simply, like everyone else does I imagine, wearing clingfilm only under my trousers, but three passengers screamed, two took a photo, one reported me and here I am now, awaiting sentencing. I spoke to a Fitbit representative who said: "This has got nothing to do with us."

  21. Andy Towler
    Stop

    The Thing about the Internet Of Things

    Is... did they actually ask whether anyone wanted it?

  22. TeeCee Gold badge
    WTF?

    Wrong stress in article.

    Embarrassingly simple vuln in IoT device is on a par news-wise with the sun coming up, bears crapping in woods and such.

    The fact that the object in question can be updated and a patch has been issued? That one's way into "well, fuck me backwards" levels of surprise.

  23. Martin Maloney
    Trollface

    Entirely too much fun

    Who would want to hack a bathroom scale? Well…

    Let's say that some obnoxious show-off bloke brags to you about his expensive IoT bathroom scale. So you hack into it, causing it to increment his actual weight by 1-2pounds every 3-4 days. After a couple of weeks or so, he would become concerned about his “weight gain” and cut back on his food consumption – and it wouldn't do any good!

    Then you reverse the hack, decrementing his weight. At first he would be gratified that his diet was finally starting to work. However, when you reach the point that the scale gives an accurate weight display, you continue decrementing, taking him 15-20 pounds “underweight,” and increasing his food intake wouldn't do any good!

    It would never occur to the bloke that his expensive, state-of-the-art toy was malfunctioning.

    (They're really not supposed to allow Internet access from this ward.)

  24. John Brown (no body) Silver badge
    Coat

    I was wondering....

    ...is it a thin client issue or a fat client issue?

  25. Seajay#

    As Jobs would say

    Not that big of a deal.

    It's a theoretical hole which would have allowed an attacker who was already on your wifi to convince your scales that he was the fitbit server, so he'll find out what you weigh. There's nothing here which says that he'll be able to do anything bad to the scales. Firmware updates are signed (I hope) if they aren't that would be more of a story but there's no suggestion of that.

    Also, they've fixed it before anyone has used it. Great. This is surely a story of IoT done right.

  26. Triggerfish

    What, why? How about the planet?

    We have taken perfectly good and accurate bathrrom scales that work from a proven mechanical design, and made it electrical?

    Sorry but if we are all supposed to be conserving energy, can any one tell me what reason making these things electronic and able to talk to the net is a good idea? Whats your electrical footprint if I decide to completly connect all the things that never needed it before up?

    How about the materials used to make it electronic, pretty sure they are less environmentaly friendly than the average mechanical scale materials.

    I can't see any significant advantage in this, not even sure why you would want to have your scales connected, what they gonna do talk to your fridge and tell it not to unlock except at meal times?

    Seems to me it's a fail on many levels, security, environmental, design, point.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019