Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • Asteroid mining could support space economies, colonies

    Tech & Science CBC News
    A team of researchers are planning to send robotic spacecraft into outer space, land near asteroids hurtling through the abyss and mine them for water, metals and other elements that will make colonizing space that much easier. Source
  • Algae on river flowing into Lake Erie prompts warning

    Tech & Science CTV News
    TOLEDO, Ohio -- Health officials in Ohio are telling children, pregnant women and people with certain medical conditions not to swim in the river that flows through Toledo because of an algae outbreak. The Maumee River along the city's downtown waterfront has turned unsightly shades of green the past few days, leading local health officials to issue a recreational advisory Thursday. Source
  • #BugsR4Girls: How 8-year-old Sophia Spencer co-authored a scientific paper on bugs

    Tech & Science CBC News
    Sophia Spencer hated it when classmates taunted her for her love of insects, but seeing them kill her pet grasshoppers for fun was even worse. Her first-grade peers couldn't understand what she found so fascinating about bugs of all sorts or why she'd devoted spare time to catching them, reading about them and generally carrying on like a budding entomologist. Source
  • Tech firms and lawmakers celebrate new trans-Atlantic cable

    Tech & Science CTV News
    WILLIAMSBURG, Va. -- Lawmakers and tech industry leaders have announced the completion of a new high-speed data cable that stretches across the Atlantic Ocean. Representatives from Facebook and Microsoft joined with Virginia's governor and two senators in Williamsburg to celebrate the cable's completion on Friday morning. Source
  • Ont. girl who was teased for love of bugs gets name in science journal

    Tech & Science CTV News
    Sophia Spencer hated it when classmates taunted her for her love of insects, but seeing them kill her pet grasshoppers for fun was even worse. Her first-grade peers couldn't understand what she found so fascinating about bugs of all sorts or why she'd devote spare time to catching them, reading about them, and generally carrying on like a budding entomologist. Source
  • Help from above: Canadian satellite assists with hurricane recovery, other natural disasters

    Tech & Science CBC News
    When Hurricane Irma cut a path of destruction through the Caribbean this month, authorities on the ground found themselves in the dark, scrambling for information. High above the storm, satellites from several nations, including Canada, were called into action to track the hurricane's progress, measure the damage and provide vital information to plan rescue and recovery efforts. Source
  • Indonesia raises Bali volcano alert to highest level

    Tech & Science CTV News
    JAKARTA, Indonesia -- Indonesian authorities have raised the alert level for the Mount Agung volcano on the tourist island of Bali to the highest level, and more than 11,000 villagers have left their homes around the mountain, officials said Friday. Source
  • Plenty of rain and thriving plants made it a 'crazy great summer' for monarchs and other insects

    Tech & Science CBC News
    One of Canada's most cherished species seems to be making a comeback in Toronto gardens — at least for a few more days. Monarch butterfly watchers in Canada and in the United States say it's been a good year for the iconic orange-and-black pollinators, who leave for winter habitats in Mexico from Canada and the U.S. Source
  • Snow crab fishery to keep 'sustainable' label amid endangered whale deaths

    Tech & Science CBC News
    After an unprecedented number of deaths this summer, CBC News is bringing you an in-depth look at the endangered North Atlantic right whale. This week, in a series called Deep Trouble, CBC explores the perils facing right whales. Source
  • Citizen scientists track humpback health 1 photo at a time

    Tech & Science CBC News
    During summer months, Kris Prince makes dreams come true for whale lovers. He spends about 12 hours a day on his Zodiac shuttling tourists out on the water for up-close encounters. "It's a dream job, it really is. Source