A number of popular fitness trackers are vulnerable to long-term tracking and surveillance according to a new report. The researchers at Open Effect have analysed eight common fitness trackers to see how securely they uploaded and stored data. The full study can be found here.
The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker’s corresponding apps were also examined.
It makes for disturbing reading. Most devices used static hardware identifiers that could allow location tracking over Bluetooth. Also, the companion apps contain security holes that could potentially expose your data or let attackers fake data by changing information in the app.
The key technical findings include:
- Seven out of eight fitness tracking devices emit persistent unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device.
- Jawbone and Withings applications can be exploited to create fake fitness band records. Such fake records call into question the reliability of that fitness tracker data use in court cases and insurance programs.
- The Garmin Connect applications (iPhone and Android) and Withings Health Mate (Android) application have security vulnerabilities that enable an unauthorized third-party to read, write, and delete user data.
- Garmin Connect does not employ basic data transmission security practices for its iOS or Android applications and consequently exposes fitness information to surveillance or tampering
Open Effect writes that the Apple Watch is truly secure based on its testing methods, and devices like the Fitbit Charge HR and Mio Fuse are safer than most. They contacted each fitness tracking company in advance of the report’s release to inform the respective company about any security vulnerabilities that they discovered in their products.
“Potentially people could meddle with their data and say they are doing fitness events, fitness activities, even when they weren’t,” according to Open Effect.
Fitbit, Intel and Mio have all responded to the researchers, and it is very likely the companies will tighten up their security through firmware releases and next generation products. According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond. Apple was not contacted because researchers found no technical vulnerabilities in the Apple Watch using their methodology.
“Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it,” the report said. “However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature.”
As it stands, it is important to put these potential vulnerabilities in context. While there are risks, it is very unlikely that a hacker will target your fitness tracker.
In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device’s “privacy and security practices” to help them determine whether or not they are comfortable with how their fitness data is being used.