Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • Man is charged with flying drones to bring drugs from Mexico

    Tech & Science CTV News
    SAN DIEGO -- A 25-year-old U.S. citizen has been charged with using a drone to smuggle more than 13 pounds (6.1 kilograms) of methamphetamine from Mexico by drone, an unusually large seizure for what is still a novel technique to bring illegal drugs into the United States, authorities said Friday. Source
  • Eclipse to have big impact on California power grid

    Tech & Science CTV News
    SACRAMENTO, Calif. -- When the moon passes in front of the sun during Monday's eclipse California will lose enough solar energy to power more than 1.5 million homes, a figure that underscores the state's growing reliance on energy from the sun. Source
  • Asian carp found near Lake Michigan got past barriers

    Tech & Science CTV News
    TRAVERSE CITY, Mich. -- Officials say an Asian carp found in a Chicago waterway this summer apparently got past an electric barrier system intended to prevent the invasive fish from reaching the Great Lakes. The Asian Carp Regional Coordinating Committee says an autopsy shows the 4-year-old male silver carp originated in the Illinois/Middle Mississippi watershed. Source
  • Demand for eclipse glasses outpaces supply

    Tech & Science CBC News
    Ali Van Orman is still looking for specialized glasses to protect her family's eyes during Monday's solar eclipse because she never counted on demand totally eclipsing supply. She tried to buy a coveted pair of solar eclipse glasses for herself and two children from Amazon back in July, but the hot commodities wouldn't have arrived in time. Source
  • Reduced speeds for right whales prompts surcharge for Oceanex Montreal-St. John's route

    Tech & Science CBC News
    Due to new rules brought in by the federal government in an attempt to protect an unusual number of endangered right whales in the Gulf of St. Lawrence, Oceanex has introduced a temporary surcharge for vessel operations between St. Source
  • NASA launches last of its longtime tracking satellites

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- NASA launched the last of its longtime tracking and communication satellites on Friday, a vital link to astronauts in orbit as well as the Hubble Space Telescope. The end of the era came with a morning liftoff of TDRS-M, the 13th satellite in the Tracking and Data Relay Satellite network. Source
  • NASA marking 40 years since Voyager spacecraft launches

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- Forty years after blasting off, Earth's most distant ambassadors -- the twin Voyager spacecraft -- are carrying sounds and music of our planet ever deeper into the cosmos. Think of them as messages in bottles meant for anyone -- or anything -- out there. Source
  • Digital vigilantism after Charlottesville: Get ready for more naming and shaming

    Tech & Science CBC News
    In many ways, last weekend's rally in Charlottesville, Va., was a chilling throwback to an era most people had hoped we'd moved on from, one in which racists were emboldened to march in the streets, denouncing the lives and rights of others through violence and angry chants, yelling, "White lives matter" and "Jews will not replace us. Source
  • Solar eclipse myth-busting: Facts and fiction behind nature's stunning event

    Tech & Science CBC News
    Have you heard that it's safe to look at an eclipse through sunglasses? Or that radiation during one could be dangerous for unborn children? Don't believe it. Solar eclipses aren't your run-of-the-mill event: while they occur about once every 18 months, the same location may not experience one for many years. Source
  • Hundreds of birds injured by kites on Indian independence day

    Tech & Science CTV News
    NEW DELHI - The annual tradition of flying kites over the Indian capital on Independence Day takes a painful toll on birds that fall victim to their razor-sharp strings. Workers at the Charity Birds Hospital see it happen every year - mostly to pigeons but also to crows, eagles and parrots. Source