Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • First solar-powered gas station opens in Dubai

    Tech & Science CTV News
    DUBAI, United Arab Emirates -- A government oil company in the United Arab Emirates says it has opened the country's first solar-powered gas station in Dubai. The Dubai-owned Emirates National Oil Company said on Wednesday the service station on the city's main Sheikh Zayed Road thoroughfare is covered with solar panels that can generate up to 120 kilowatt hours. Source
  • Samsung's profit at 3-year high thanks to memory chips

    Tech & Science CTV News
    SEOUL, Korea, Republic Of -- Samsung Electronics said Thursday its first-quarter profit surged to the highest level in more than three years as its semiconductor division posted the highest income in the company's history. The South Korean company's January-March earnings jumped 46 per cent over a year earlier to 7.7 trillion won ($6.8 billion), compared with 5.3 trillion won a year earlier. Source
  • NASA's Cassini spacecraft flies between Saturn and rings in historic 1st

    Tech & Science CBC News
    NASA's Cassini spacecraft ventured Wednesday into the never-before-explored region between Saturn and its rings. But flight controllers won't know how everything went until Thursday when they are back in touch with the craft. Cassini was out of radio contact with Earth as it became the first spacecraft to enter the gap between Saturn and its rings. Source
  • Neanderthals in California? Maybe so, provocative story says

    Tech & Science CTV News
    NEW YORK -- A startling new report asserts that the first known Americans arrived much, much earlier than scientists thought -- more than 100,000 years ago ---- and maybe they were Neanderthals. If true, the finding would far surpass the widely accepted date of about 15,000 years ago. Source
  • Study suggests humans were in North America 100,000 years earlier than believed

    Tech & Science CBC News
    A team of scientists believe they have found evidence of human activity in North America that dates back 130,000 years — more than 100,000 years than earlier believed. The evidence comes from an archeological site in San Diego County, Calif. Source
  • Scientists find evidence that humans were in North America 100,000 years earlier than believed

    Tech & Science CBC News
    A team of scientists believe they have found evidence of human activity in North America that dates back 130,000 years — more than 100,000 years than earlier believed. The evidence comes from an archeological site in San Diego County, Calif. Source
  • Spacecraft flies between Saturn and rings in historic 1st

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- NASA's Cassini spacecraft has ventured into the never-before-explored region between Saturn and its rings. But flight controllers won't know how everything went until Thursday when they are back in touch with the craft. Source
  • China's rare milu deer return in victory for conservation

    Tech & Science CTV News
    BEIJING -- The newborn fawn walks unsteadily among the trees that were once part of the Chinese emperor's hunting grounds, where more than a century before its forebears died out in their native China. This April marks the start of the birthing season for the milu deer, which has long been famed as having the head of a horse, the hooves of a cow, the tail of a donkey and the antlers of a deer. Source
  • China talking with European Space Agency about moon outpost

    Tech & Science CTV News
    BEIJING -- Representatives of China and the European Space Agency are discussing potential collaboration on a human outpost on the moon and other possible joint endeavours, according to a spokesman for the European agency and Chinese media reports. Source
  • Dolphin vaginas no longer a total mystery, thanks to Canadian scientist

    Tech & Science CBC News
    Dara Orbach is probably one of very few people in the world who regularly gets sent dolphin vaginas in the mail. "The boxes don't usually smell very good when they arrive," says Orbach, a post-doctoral fellow at Dalhousie University and a research assistant at Mount Holyoke College in Massachusetts. Source