Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.


The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.


Latest Tech & Science News

  • Tesla, Mozilla take a Facebook pause

    Tech & Science CTV News
    Elon Musk, CEO of Tesla Motors Inc., talks about the Model X car at the company's headquarters, in Fremont, Calif. on Sept. 29, 2015. (AP photo/Marcio Jose Sanchez) Source
  • 2 Americans, 1 Russian dock with International Space Station

    Tech & Science CTV News
    Photos Source
  • Cyprus' British base police say 'huge' drop in bird trapping

    Tech & Science CTV News
    DHEKELIA, Cyprus -- Authorities at British military bases in Cyprus say a yearlong crackdown on illegal bird poaching has resulted in a "huge" drop in the number of poachers operating inside the bases' territory. They also point to a 70 per cent reduction in the trapping of blackcaps over the same period. Source
  • Conservation group concerned about decline in capelin abundance in N.L

    Tech & Science CTV News
    ST. JOHN'S, N.L. - A national conservation organization is expressing concerns about what it says is a 70 per cent decline in capelin abundance over the last two years in Newfoundland and Labrador. A news release from WWF Canada says that while environmental factors are driving the decline, it cannot rule out fishing as another factor. Source
  • NASA's Mars rover Curiosity marks 2,000th day on red planet

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- NASA's Mars rover Curiosity has now marked 2,000 days on the red planet. That's 2,000 days by Martian standards. A Martian sol, or solar day, is equivalent to 24 hours, 39 minutes and 35 seconds. Source
  • Asia could run out of fish by 2048, UN reports

    Tech & Science CBC News
    Earth is losing plants, animals and clean water at a dramatic rate, according to four new United Nations scientific reports on biodiversity. Scientists meeting in Colombia issued four regional reports Friday on how well animal and plants are doing in the Americas; Europe and Central Asia; Africa; and the Asia-Pacific area. Source
  • Biggest pterosaur ever found was as tall as a giraffe

    Tech & Science CBC News
    A remarkable flying reptile that was as tall as a giraffe, weighed half a tonne and had a longer wingspan than a Cessna Skyhawk plane has been put on display at a museum in Germany. The bones of the powerful pterosaur, an ancient flying reptile closely related to dinosaurs, are now on display at the Altmuehltal Dinosaur Museum in Germany as part of its Emperors of the Skies exhibit. Source
  • U.S. government charges Iranians for international cyber theft

    Tech & Science CBC News
    The Trump administration in the United States on Friday charged nine Iranians and an Iranian company with attempting to hack into hundreds of U.S. and international universities, dozens of companies and parts of the U.S. government on behalf of the Iranian government. Source
  • Israeli firm says it can turn garbage into bio-based plastic

    Tech & Science CTV News
    KIBBUTZ ZEELIM, Israel -- Hawks, vultures and storks circle overhead as Christopher Sveen points at the heap of refuse rotting in the desert heat. "This is the mine of the future," he beams. Sveen is chief sustainability officer at UBQ, an Israeli company that has patented a process to convert household trash, diverting waste from landfills into reusable bio-based plastic. Source
  • Scientists unravel mystery of Chilean 'alien mummy'

    Tech & Science CTV News
    It was like nothing anyone had ever seen: a tiny, desiccated creature found behind a church in an abandoned desert town in Chile. With a huge, misshapen skull that ended in a point and slanted eye sockets, it looked like an alien. Source