Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • Archeologists discover Greco-Roman era building in Egypt

    Tech & Science CTV News
    CAIRO -- Egyptian archeologists say they have discovered parts of a huge red brick building dating back to the Greco-Roman period north of Cairo. The Antiquities Ministry says Wednesday the building was found in the San El-Hagar archaeological site in Gharbia province. Source
  • Feel awkward unfollowing that Instagrammer? Just click 'mute'

    Tech & Science CTV News
    Instagram has announced that it is rolling out a new ability to secretly 'mute' annoying accounts -- for both posts and stories. Here's how it's done... Instagram is finally letting users block stories and posts from Instagrammers that they may find annoying. Source
  • Top 10 new species of 2018 include volcanic bacterium and a hitchhiking beetle

    Tech & Science CBC News
    From a tree to an orangutan to bacterium, the annual top 10 new species list has the newest stars of Earth's biodiversity. The list is compiled by the State University of New York's College of Environmental Science and Forestry and its International Institute for Species Exploration (IISE), which first began their list in 2008. Source
  • Chimpanzee beds are cleaner than ours, study finds

    Tech & Science CBC News
    This is an excerpt from Second Opinion, a weekly roundup of eclectic and under-the-radar health and medical science news emailed to subscribers every Saturday morning. If you haven't subscribed yet, you can do that by clicking here. Who knew that our closest animal relatives, the great apes — specifically chimpanzees — keep tidier bedrooms than we humans do? Source
  • Legend of Loch Ness monster facing DNA testing

    Tech & Science CTV News
    WELLINGTON, New Zealand - The stories seem as tall as the lake is deep. For hundreds of years, visitors to Scotland's Loch Ness have described seeing a monster that some believe lurks in the depths. Source
  • Amazon urged not to sell face-recognition tool to police

    Tech & Science CBC News
    The American Civil Liberties Union and other privacy activists are asking Amazon to stop marketing a powerful facial recognition tool to police, saying law enforcement agencies could use the technology to "easily build a system to automate the identification and tracking of anyone. Source
  • Russia's 1st sea-borne nuclear power plant arrives in the Arctic

    Tech & Science CBC News
    Russia's first floating nuclear power plant arrived in the Arctic port of Murmansk over the weekend in preparation for its maiden mission: providing electricity to an isolated Russian town across the Bering Strait from Alaska. The state company behind the plant, called the Akademik Lomonosov, says it could pioneer a new power source for remote regions of the planet, but green campaigners have expressed concern about the risk of nuclear accidents. Source
  • Black bear kills dog that jumped out car window in Jasper National Park

    Tech & Science CTV News
    JASPER, Alta. -- A black bear is being watched in Jasper National Park after it killed a dog that jumped out of a vehicle. Parks Canada officials say the encounter happened on Wednesday when a car pulled over to the side of the road to view the bear and the dog jumped out of an open window. Source
  • ACLU: Amazon shouldn't sell face-recognition tech to police

    Tech & Science CTV News
    SEATTLE -- The American Civil Liberties Union and other privacy activists are asking Amazon to stop marketing a powerful facial recognition tool to police, saying law enforcement agencies could use the technology to "easily build a system to automate the identification and tracking of anyone. Source
  • Siri winning battle of the virtual assistants in Canada: poll

    Tech & Science CTV News
    TORONTO -- In the heated battle between Amazon, Apple, Google and Microsoft to get consumers hooked on their virtual assistants, Siri seems to be enjoying the first-mover advantage. Just shy of 40 per cent of Canadian adults recently used a virtual assistant, according to a report by the Media Technology Monitor, which polled almost 8,200 Canadians by phone late last year. Source