Menu
Fitness trackers are leaking lots of your data, study finds

Fitness trackers are leaking lots of your data, study finds

Flaws in data security will also limit the usefulness of wearables' data for health insurers and courts

Some of the more popular sports wearables don't just let you track your fitness, they let other people track you.

That's what Canadian researchers found when they studied fitness-tracking devices from eight manufacturers, along with their companion mobile apps.

All the devices studied except for the Apple Watch transmitted a persistent, unique Bluetooth identifier, allowing them to be tracked by the beacons increasingly being used by retail stores and shopping malls to recognize and profile their customers.

The revealing devices, the Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2 and Xiaomi Mi Band, all make it possible for their wearers to be tracked using Bluetooth even when the device is not paired with or connected to a smartphone, the researchers said. Only the Apple device used a feature of the Bluetooth LE standard to generate changing MAC addresses to prevent tracking.

In addition, companion apps for the wearables variously leaked login credentials, transmitted activity tracking information in a way that allowed interception or tampering, or allowed users to submit fake activity tracking information, according to an early draft of the report, "Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security." It was published by Canadian non-profit Open Effect, and researched with help from the Citizen Lab at the Munk School of Global Affairs, University of Toronto.

The apps are typically used to gather data from the fitness tracking device and upload it to a central server, where users can analyze their performance and perhaps compare it with that of other device wearers.

Using a man-in-the-middle attack, researchers were able to spy on traffic between the apps and the servers for all but two of the apps, Apple's Watch 2.1 and Intel's Basis Peak 1.14.0. For the six remaining apps, this allowed them to observe even encrypted data sent via HTTPS.

Apple and Intel used a technique called certificate pinning to avoid being fooled by the fake security certificates presented by the researchers. Intel has been highlighting the risks of poorly secured wearable devices since at least 2014, when it published the report "Safeguarding the Future of Digital America 2025."

The Canadian researchers analyzed the traffic they observed and determined that the Garmin app used HTTPS only for signup and login, sending all other data in the clear, so that third parties could read, write or delete it.

Users of the Jawbone and Withings apps could falsify their fitness records, perhaps allowing them to erase evidence of medical problems or fake their sporting prowess. This is bad news for health insurers, some of which have begun to use fitness tracker data to offer lower premiums, and courts, which have admitted the data as evidence in a number of cases.

The authors are still working on the parts of their report dealing with policy implications, but noted that the significance of the security flaws depends on the jurisdiction where the fitness trackers are used. While the trackers are not considered medical devices, and thus escape the most stringent aspects of U.S. privacy law, the data they generate is considered personal information under European data protection law and so ought to be protected, the researchers said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Apple watch

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments