Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • Jet lag can adversely affect Major League Baseball players: study

    Tech & Science CBC News
    A new study has found the jet lag that goes with a grinding schedule of Major League Baseball games that takes players from coast to coast and back again can take its toll on performance. Source
  • Paris tests electric driverless minibus to fight air pollution

    Tech & Science CTV News
    PARIS -- In a city hit by chronic pollution and traffic problems, Paris officials are experimenting with a self-driving shuttle linking two train stations in the French capital. Two electric-power EZ10 minibuses, which can carry up to six seated passengers, were put into service Monday and will be tested until early April between the Lyon and Austerlitz stations in Paris. Source
  • Researchers unearth fossils of giant otter in China

    Tech & Science CBC News
    Scientists have unearthed fossils of an intriguingly large otter as big as a wolf that frolicked in rivers and lakes in a lush, warm and humid wetlands region in southwestern China about 6.2 million years ago. Source
  • Xiaomi's Hugo Barra quits China for Silicon Valley

    Tech & Science CTV News
    Hugo Barra, who caused a sensation in 2013 by leaving Google to become a vice president of Chinese smartphone maker Xiaomi, announced Monday he was returning to the United States for health reasons. Barra, under whom Xiaomi was for a time China's best-selling brand, described his experience as a "spectacular" journey but said it was time to return home for a "new adventure". Source
  • U.S. states uncertain what Trump victory means for wind and solar power

    Tech & Science CBC News
    President Donald Trump has disputed climate change, pledged a revival of coal and disparaged wind power, and his nominee to head the Energy Department was once highly skeptical of the agency's value. What this means for states' efforts to promote renewable energy is an open question. Source
  • N.S. wildlife park fundraising to save 'Little Bear' from euthanasia

    Tech & Science CTV News
    A wildlife park in Cape Breton, N.S., is appealing for donations to build a new cage for an orphaned black bear cub in their care. The nearly one-year-old black bear, dubbed “Little Bear,” was found wandering alone by a pair of men on a highway near Whycocomagh, N.S. Source
  • China's online population reaches 731 million

    Tech & Science CTV News
    The number of internet users in China -- already the world's highest -- reached 731 million in December, authorities said, as e-commerce drives consumer demand across the Asian giant. Total internet users rose 6.2 per cent from the end of December 2015 and equals the entire population of Europe, the government-linked China Internet Network Information Center (CNNIC) said in a statement Sunday on its website. Source
  • Samsung: Batteries only problem with fire-prone Note 7s

    Tech & Science Toronto Sun
    SEOUL, Korea, Republic Of — Samsung Electronics Co. said Monday that problems with the design and manufacturing of batteries in its Galaxy Note 7 smartphones caused them to overheat and burst into fire. The announcement of results from the company’s investigation into one of its worst product fiascos comes three months after the flagship phone was discontinued. Source
  • Ribbon may have finally run out for India's typewriters

    Tech & Science CTV News
    NEW DELHI -- The end is coming, though admittedly it may not look that way at 10 a.m. on a Tuesday morning, when dozens of young Indians have arrived for morning classes at Anand Type, Shorthand and Keypunch College, and every battered Remington is clattering away. Source
  • China cracks down on VPN devices used to access blocked sites

    Tech & Science CTV News
    BEIJING -- A Chinese technology regulator has announced a 14-month campaign to root out services that allow people in the country to circumvent the government's internet censorship. The Ministry of Industry and Information Technology says it forbids the use of virtual private networks (VPNs) or leased lines that allow users and businesses to access blocked overseas websites without permission. Source