Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • EPA chief: Trump to undo Obama's environmental protection plan

    Tech & Science CTV News
    WASHINGTON -- President Donald Trump in the coming days will sign a new executive order that unravels his predecessor's sweeping plan to curb global warming, the head of the Environmental Protection Agency said Sunday. EPA chief Scott Pruitt said the executive order to be signed Tuesday will undo the Obama administration's Clean Power Plan, an environmental regulation that restricts greenhouse gas emissions at coal-fired power plants. Source
  • Florida eco-friendly town opens for business

    Tech & Science CTV News
    With a farm-to-table restaurant, driverless shuttles, homes built with the latest green techniques and a massive solar farm to offset energy use, Florida's first sustainable town is now open for business. The buzz about Babcock Ranch, an eco-friendly city of the future and the largest development of its kind in the United States, drew more than 15,000 people out this month for a peek. Source
  • 11 endangered wild elephants rescued from mud in Cambodia

    Tech & Science CTV News
    PHNOM PENH, Cambodia -- Eleven endangered wild elephants were rescued in Cambodia on Saturday, four days after getting stuck in a 3-meter-deep mud hole, officials said. The animals were rescued in northeastern Mondulkiri province, home to about 250 wild elephants, said Wildlife Alliance official Bothmroath Lebun. Source
  • How lasers, environmentalists and Google combine to reduce methane emissions

    Tech & Science CBC News
    A new project has brought together university researchers, an environmental organization and Google to help find and track methane leaks in U.S. cities. Methane, a natural gas, is commonly used as an energy and heating source, but also makes up about 25 per cent of the greenhouse gases that contribute to global warming. Source
  • Another reason to flip the off switch for Earth Hour: light pollution

    Tech & Science CTV News
    For the 11th year running, cities worldwide will turn their lights off Saturday to mark Earth Hour in a global call to action on climate change. But the moment of darkness should also serve as a reminder, activists say, of another problem that gets far less attention: light pollution. Source
  • Black hole gets unusual 'kick' out of galaxy core thanks to gravitational waves

    Tech & Science CBC News
    A team of international researchers got a bit of a shock recently when a supermassive black hole — something that normally anchors the centre of a galaxy — was spotted speeding away from its home. The reason? Gravitational waves, says the research team. Source
  • Bad breath: Study finds array of bacteria when orcas exhale

    Tech & Science CTV News
    SEATTLE -- When the mighty orca breaks to the surface and exhales, the whale sprays an array of bacteria and fungi in its his breath, scientists said, some good, and some bad such as salmonella. Source
  • Trump's proposed NASA cuts take aim at Earth science

    Tech & Science CBC News
    Officials at NASA were delighted that U.S. President Donald Trump's budget proposal allocates $19.1 billion for the agency, down only 0.8 per cent from last year, but the proposal also cuts several programs to study the Earth. Source
  • 'Call of Duty' gamers converge on Toronto for national championship

    Tech & Science CTV News
    TORONTO -- Many people have a go-to tool at work. For Andrew Ivers, it's a KBAR-32 this weekend. The 19-year-old from Toronto is a professional gamer who hopes to use his virtual assault rifle to help Team GIRG win the Cineplex WorldGaming "Call of Duty: Infinite Warfare" tournament final Sunday. Source
  • Apple: Software flaws in latest WikiLeaks docs are all fixed

    Tech & Science CTV News
    NEW YORK -- Apple said purported hacking vulnerabilities disclosed by WikiLeaks this week have all been fixed in recent iPhones and Mac computers. The documents released by the anti-secrecy site Thursday morning pointed to an apparent CIA program to hack Apple devices using techniques that users couldn't disable by resetting their devices. Source