Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • More than 1,000 cold-stunned sea turtles wash into Florida bay

    Tech & Science CTV News
    TAMPA, Fla. -- More than 1,000 sea turtles stunned by unusually cold weather have been rescued from waters off Florida's Panhandle this month. U.S. Geological Survey sea turtle expert Margaret Lamont said cold-stunned sea turtles began appearing in St. Source
  • Facebook to emphasize 'trustworthy' news

    Tech & Science CTV News
    Facebook is announcing a second major tweak to its algorithm, saying it will prioritize news based on survey results of trustworthiness. The company said in a blog post and Facebook post from CEO Mark Zuckerberg Friday that it is surveying users about their familiarity with and trust in news sources. Source
  • Facebook to emphasize 'trustworthy' news via user surveys

    Tech & Science CTV News
    Facebook is taking another step to try to make itself more socially beneficial, saying it will boost news sources that its users rate as trustworthy in surveys. In a blog post and a Facebook post from CEO Mark Zuckerberg Friday, the company said it is surveying users about their familiarity with and trust in news sources. Source
  • Melted nuclear fuel seen inside second Fukushima reactor

    Tech & Science CBC News
    The operator of Japan's crippled Fukushima nuclear plant said Friday that a long telescopic probe successfully captured images of what is most likely melted fuel inside one of its three damaged reactors, providing limited but crucial information for its cleanup. Source
  • Meteorite hunters find first fragments of Michigan meteor

    Tech & Science CTV News
    DETROIT -- Meteorite hunters who flocked to Detroit from across the U.S. after a meteor exploded are finding the fragments. The 6-foot-wide meteor broke apart Tuesday about 20 miles over Earth, NASA scientists said. Source
  • Zoocheck calls for strong message on ice-cream-eating bear

    Tech & Science CTV News
    An international wildlife protection charity says they hope the Alberta government sends a strong message as it investigates a central Alberta zoo that took one of its bears through a drive-thru for ice cream. The video, posted on social media this week by the Discovery Wildlife Park in Innisfail, showed a one-year old captive bear named Berkley leaning out a truck's window and being hand-fed ice cream by the owner of the Innisfail Dairy Queen. Source
  • NASA bumps astronaut off June spaceflight in rare move

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- NASA has bumped an astronaut off an upcoming spaceflight, a rare move for the space agency so close to launch. Astronaut Jeanette Epps was supposed to rocket away in early June, and would have been the first African-American to live on the International Space Station. Source
  • Adolescence now lasts from 10 to 24, scientists suggest

    Tech & Science CTV News
    Growing up will take a little longer if a group of new scientists get their way. In a new opinion piece in the Lancet Child & Adolescent Health journal, a group of seven academics make a case for redefining adolescence from ages 10-19 to 10-24. Source
  • Hippo-y birthday to Fiona! The popular preemie is turning 1

    Tech & Science CTV News
    CINCINNATI -- Some days, it's more like being a Hollywood star's agent than a communications official for the zoo. That's what happens when your prematurely born hippopotamus becomes a global celebrity. The Cincinnati Zoo has a day of festivities ready for Fiona's first birthday party Saturday, and expect plenty more of Fiona in Year 2. Source
  • Booby-trapped messaging apps used for spying in Canada, U.S.: researchers

    Tech & Science CTV News
    An espionage campaign using malware-infected messaging apps has been stealing smartphone data from activists, soldiers, lawyers, journalists and others in more than 20 countries, researchers said in a report Thursday. A report authored by digital rights group Electronic Frontier Foundation and mobile security firm Lookout detailed discovery of "a prolific actor" with nation-state capabilities "exploiting targets globally across multiple platforms. Source