Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • Oldest zoo gorilla doing well after biopsy before birthday

    Tech & Science CTV News
    POWELL, Ohio - The oldest known gorilla living in a zoo is doing well after a surgical biopsy ahead of her 60th birthday on Dec. 22. The Columbus Zoo and Aquarium said Saturday that veterinarians successfully removed a mass under the gorilla's arm that recently started causing her discomfort. Source
  • Friendly moose befriends 2 cows on Vermont farm

    Tech & Science CTV News
    SHELDON, Vt. -- A Vermont couple has chased off a moose that appeared to be bonding with their two cows on a Sheldon farm because they didn't want it to get injured, stuck in their barn or damage their fences. Source
  • Apple founder street name shakes Paris suburb to the core

    Tech & Science CTV News
    He changed technology and how the world communicates. Now, five years after he died, Apple founder Steve Jobs may be remembered in another way -- on a Paris street. "Rue Steve Jobs" is among names shortlisted for one of the new roads in the French capital's southeastern 13th arrondissement that will lead to a new incubator for hi-tech start-ups. Source
  • A sound investment for Lamborghini fans

    Tech & Science CTV News
    The Ixoost EsaVox Speaker system is inspired by a Lamborghini's quad exhaust and ventilation set up and comes with the automotive marque's seal of approval. Like the most exclusive and most extreme cars in production, the Ixoost EsaVox is hand crafted in Italy. Source
  • A planet's worth of human-made things has been weighed

    Tech & Science CBC News
    A new report has calculated the total mass of all the technology humans have produced, everything from buildings to cars and computers, and found it is an astounding 30 trillion tons. That is more than the total amount of living matter on Earth. Source
  • Is chocolate really good for you? UBC scientists make new tool to measure antioxidants

    Tech & Science CBC News
    Every chocolate lover wants the headlines about antioxidants in chocolate to be true. And, for better or for worse, determining just how much of the disease-fighting molecules are contained in this popular treat may be getting a little easier. Source
  • Canadian researchers are leading the way to Mars

    Tech & Science CBC News
    When humans one day set foot on Mars, Canadians will have contributed a lot of science to having made that happen. As Canadians, we're not known for bragging, but there are many Canadian scientists and engineers who have contributed greatly to our understanding of Mars and who are paving the way for humans to one day settle on its dusty surface. Source
  • Canadian scientists help prepare a path to Mars

    Tech & Science CBC News
    If humans one day set foot on Mars, Canadians will have contributed to the science that helped make it possible. As Canadians, we're not known for bragging, but there are many Canadian scientists and engineers who have contributed greatly to our understanding of Mars and who are preparing the path for humans to one day settle on its dusty surface. Source
  • 4 major world cities pledge to eliminate diesel vehicles

    Tech & Science CTV News
    MEXICO CITY -- Host Mexico City has joined with Paris, Madrid and Athens in committing to eliminate diesel vehicles from their cities by 2025. The C40 Mayors Summit announced the agreement Thursday. A statement said the commitment would reduce air pollution and related health issues in those cities, while also helping cities meet climate goals. Source
  • Nations OK European Space Agency's mission to Mars in 2020

    Tech & Science CTV News
    BERLIN - Nations have approved an additional 440 million euros ($469 million) to fund the European Space Agency's next mission to Mars. As part of the ExoMars mission, the agency this year sent an orbiter and a test lander to the red planet. Source