Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • Mother of Uber CEO Travis Kalanick killed in boat accident

    Tech & Science CTV News
    FRESNO, Calif. -- The mother of the CEO of the ride-hailing company Uber died in a boat accident Friday evening in Fresno County, the company said. Bonnie Kalanick, 71, died after the boat she and her husband, Donald, 78, were riding hit a rock in Pine Flat Lake in the eastern part of the county, authorities said. Source
  • G7 leaders agree to fight protectionism, U.S. still not on board on climate agreement

    Tech & Science CBC News
    U.S. President Donald Trump has agreed to include a pledge to fight trade protectionism in a final communique due to be released later on Saturday at the end of a summit of Group of Seven leaders, a G7 source said. Source
  • Selfies with seal pups a no-no: U.S. science agency

    Tech & Science CTV News
    PROVIDENCE, R.I. -- U.S. officials are warning people not to take selfies with seals, no matter how tempting. The National Oceanic and Atmospheric Administration's fisheries office says seal pupping season is underway in New England and that means people might see seal pups on the beach during Memorial Day weekend. Source
  • Planting trees can't counter carbon emissions: Bob McDonald

    Tech & Science CBC News
    A new report from the Potsdam Institute in Germany shows that planting trees and other plants to absorb carbon dioxide from the atmosphere cannot substitute for cutting carbon emissions. Growing trees and other kinds of "biomass" have been thought of as an effective countermeasure against our rising global carbon emissions. Source
  • Secretive Facebook project wants to turn thoughts to text

    Tech & Science CBC News
    more stories from this episodeThe Manchester bombing and the resilience of teenage girlsOntario Regional Chief says Thunder Bay can't keep Indigenous youth safeJustin Bieber, 'Despacito' and the rise of reggaeton in North American popRyan McMahon's 12-step guide to decolonizing CanadaSecretive Facebook project wants to turn thoughts to text'Party crashers' try to swing the Conservative leadership to Michael ChongRiffed from the Headlines 27/05/2017Full Episode Source
  • Ontario community's work to prevent turtles, snakes being killed a model for others

    Tech & Science CTV News
    A rural Ontario community's work to prevent endangered reptiles from being killed on a 3.6-kilometre stretch of road -- once considered among the world's deadliest for turtles -- is being held up as a successful example of how to protect vulnerable wildlife. Source
  • 'Far Cry 5' sneak peek: 5 things we've learned [Photos]

    Tech & Science Toronto Sun
    MONTREAL – The action-heavy Far Cry video game series has always been known for its exotic settings: tropical Pacific islands, sun-baked African savannahs, the lush valleys and snow-capped peaks of the Himalayas. And now… uh, Montana? Game studio Ubisoft Montreal is taking Far Cry into unexplored yet timely territory with next year’s Far Cry 5. Source
  • Europeans try to convince Trump not to pull out of climate accord

    Tech & Science CBC News
    European leaders have mounted a last-ditch effort to stop President Donald Trump from abandoning the Paris climate accord, using multiple meetings this week to sell the American leader on the global agreement to reduce carbon emissions. Source
  • Endangered turtles saved by citizens of Ontario hamlet

    Tech & Science CBC News
    Long Point is a popular camping destination in southern Ontario, a rich ecological site with an abundance of wildlife, and part of UNESCO's World Biosphere Reserve. It is full of marshes, dunes, beaches and forests. Source
  • D.C. zoo officials hoping get panda Mei Xiang pregnant again

    Tech & Science CTV News
    WASHINGTON -- Zoo officials in Washington are hoping to get panda mom Mei Xiang pregnant -- again. Smithsonian National Zoo officials say they performed two artificial inseminations Thursday on 18-year-old Mei Xiang. Officials say they were closely monitoring her for when to do the procedure. Source