Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • Boreal forest starting to bounce back from Fort McMurray wildfire

    Tech & Science CTV News
    FORT MCMURRAY, Alta. -- The drumming of black-backed woodpeckers is a sure sign the boreal forest is slowly bouncing back from the devastation caused by last spring's wildfire near Fort McMurray. Woodpeckers are busy in the roughly 5,900-square-kilometre area in northern Alberta that was torched. Source
  • Double bed, favourite foods lined up for U.S.-born panda's flight to China

    Tech & Science CBC News
    The National Zoo in Washington D.C., is packing up its American-born panda cub Bao Bao for a one-way flight to China, where the 3-year-old will eventually join a panda breeding program. The cub won't have to worry about finding overhead bin space or dealing with a talkative seatmate on the 16-hour, nonstop flight Tuesday afternoon into Wednesday. Source
  • Special delivery: U.S.-born panda cub Bao Bao bound for China

    Tech & Science CTV News
    WASHINGTON -- The National Zoo is packing up its American-born panda cub Bao Bao for a one-way flight to China, where the 3-year-old will eventually join a panda breeding program. The cub won't have to worry about finding overhead bin space or dealing with a talkative seatmate on the 16-hour, nonstop flight Tuesday afternoon into Wednesday. Source
  • Advances in imaging could deepen knowledge of brain

    Tech & Science CTV News
    New imaging techniques enable exploration of the brain in much more detail than ever before, opening the door to greater understanding of neurological problems and possibly new treatments, researchers say. Showcased this week at the American Association for the Advancement of Science annual meeting, the research and innovations are the product of three U.S. Source
  • As Arctic warms, Canada's glaciers playing major role in sea level rise

    Tech & Science CBC News
    Canada's glaciers are responding rapidly to a warming Arctic and are a major contributor to sea level rise, a new study suggests. Researchers from the University of California Irvine studied data collected from 1991 to 2015 on glaciers found in the Queen Elizabeth Islands in the Arctic. Source
  • Government to weed out pesticides from foreign websites

    Tech & Science CBC News
    The federal government is moving to close a loophole that allows Canadians to make legal online purchases of pesticides not registered for use in Canada, and have them shipped into the country. Right now, if someone buys the pesticides for use around their own home and doesn't exceed the amount that qualifies for an exemption, there is little that authorities can do to stop the shipment, say government officials. Source
  • New Zealand judge upholds Kim Dotcom extradition ruling

    Tech & Science CTV News
    WELLINGTON, New Zealand -- A New Zealand judge has upheld an earlier ruling that flamboyant internet entrepreneur Kim Dotcom and three of his colleagues can be extradited to the U.S. to face criminal charges. The decision Monday comes five years after U.S. Source
  • '100 per cent mental sport': Drone racing growing in popularity

    Tech & Science CTV News
    Drones may be known for taking photos and videos from high above, but a group of drone pilots is looking to popularize the latest trend in Canada: racing. Competitive drone racing started roughly four years ago, but its popularity recently exploded around the world. Source
  • Milwaukee tells 'Pokemon Go' creators to get permit to have creatures in parks

    Tech & Science CTV News
    MILWAUKEE -- "Pokemon Go" monsters can roam virtually wherever they please, but they'll need a permit to get into Milwaukee County parks. At the height of the game's popularity last summer, the large crowds it attracted to one Milwaukee park left county officials at a loss for how to deal with the sudden influx of players and the trash they left behind. Source
  • SpaceX launches rocket with supplies to International Space Station

    Tech & Science CBC News
    A SpaceX Dragon cargo spacecraft was sent into space Sunday aboard a Falcon 9 rocket, on a mission to deliver supplies to the International Space Station. The launch was the first from Kennedy Space Center since the shuttles were retired six years ago. Source