Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • Hackers only needed a phone number to track this MP's cellphone

    Tech & Science CBC News
    NDP MP Matthew Dubé looks at a map showing that hackers tracked his movements through his cellphone for days. One marker shows Dubé near Parliament Hill. Another marks the place he lives when he's working in Ottawa. Source
  • High-energy 'ghost particles' can be stopped on way through Earth

    Tech & Science CBC News
    High-energy subatomic particles nicknamed "ghost particles" for their ability to pass through just about anything can be stopped, scientists have confirmed. That doesn't require kryptonite or any other special substance — scientists have observed some high-energy neutrinos being blocked and absorbed by the Earth itself as they zip through the planet from the atmosphere or from deep space, reports the international "IceCube" research collaboration in a new paper published today in the journal…
  • The end of night? Light pollution increasing around the world

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- A new study shows the world's nights getting alarmingly brighter. A German-led term reported Wednesday that light pollution is threatening darkness almost everywhere. Satellite observations show Earth's artificially lit outdoor area grew by 2 per cent a year since 2012. Source
  • Facebook apologizes to Mafia boss family after posts removed

    Tech & Science CTV News
    ROME -- Facebook is apologizing to the family of the "boss of bosses" of Italy's Mafia for having removed messages of condolences that flowed in after his death last week. A Facebook spokesperson told The Associated Press the posts on the feed of the son-in-law of Salvatore "Toto" Riina were removed in error, after users complained that they violated Facebook's standards. Source
  • Lofty U.S. Thanksgiving: Astronauts feasting on pouches of turkey

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- Astronauts at the International Space Station will feast Thursday on pouches of Thanksgiving turkey. The three Americans, two Russians and one Italian will also rip into single-serving bags of mashed potatoes, candied yams, cornbread stuffing and cranberry-apple dessert. Source
  • Flat-Earther rocket scientist plans to launch over ghost town

    Tech & Science CTV News
    The countdown to launch creeps closer and there’s still plenty for self-taught rocket scientist “Mad” Mike Hughes to do: Last-second modifications to his vessel. Pick up his flight suit. Leave enough food for his four cats — just in case anything happens. Source
  • Cheating death: 4 technologies on the mind of a futurist

    Tech & Science CTV News
    Advances in medical technology are continually shifting the way we understand and treat the human body and mind. Gene-editing, artificial organs and nanotechnology aimed at extending our lifespans promise to enrich the human experience and raise untold ethical dilemmas. Source
  • Good morning, Calgary! It's -8 C or +8 C, depending on which part of the city you're in

    Tech & Science CBC News
    It's a warm, windy morning in Calgary. It's also a calm, cold morning in Calgary. Temperatures varied by more than 16 C at different points across the city Wednesday morning as a chinook rolled in from the west. Source
  • FCC chairman sets out to scrap open internet access rules

    Tech & Science CTV News
    MENLO PARK, Calif. -- The chairman of the Federal Communications Commission set out Tuesday to scrap rules around open internet access, a move that would allow giant cable and telecom companies to throttle broadband speeds and favour their own services if they wish. Source
  • Finns want to look for remains of Arctic meteorite

    Tech & Science CTV News
    COPENHAGEN -- The remains of a blazing meteorite that lit up the dark skies of the Arctic last week are believed scattered near a lake in northern Finland, amateur Finnish astronomers said Wednesday. The Ursa astronomical association says their calculations show the parts would have crashed in a remote area near the Norwegian and Russian borders. Source