Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.

Findings

The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told CTVNews.ca that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.



Advertisements

Latest Tech & Science News

  • Burundi robotics team missing after competition in DC

    Tech & Science CTV News
    WASHINGTON -- Six teenage members of the Burundi robotics team were reported missing after competing in an international competition this week in Washington. Police tweeted missing person fliers Wednesday asking for help finding the teens last seen in the area of the FIRST Global Challenge around the time of Tuesday's final matches. Source
  • 10-year-old boy trips over 1.2M-year-old fossil in desert

    Tech & Science CTV News
    LAS CRUCES, N.M. -- A boy's misstep on a family hike in New Mexico has given the world a prehistoric wonder. Ten-year-old Jude Sparks was on a desert hike in Las Cruces in November when he tripped over what turned out to be the fossilized tusk of a 1.2 million-year-old elephant-like creature, called a stegomastodon. Source
  • Google delivers a Street View tour of the International Space Station

    Tech & Science CBC News
    Google Street View is ready to take you inside the International Space Station. Starting at 9 a.m. ET today, the mapping service will allow anyone to move through the modules of the space station using Google Maps or Google Earth. Source
  • What makes a dog man's best friend? It's in the genes

    Tech & Science CTV News
    Dogs that are extra friendly share certain genetic similarities with people who are born with a developmental disorder sometimes called the "opposite of autism," which makes them hyper social, researchers said Wednesday. The report in the journal Science Advances pinpointed changes in two genes that are related to extreme social behavior in dogs, and also in people who are born with Williams-Beuren Syndrome. Source
  • Neuroscientists find new way to make lab equipment on the cheap

    Tech & Science CBC News
    Neuroscientists from the Universities of Tubingen and Sussex have created a budget-friendly imaging and microscope system for research, training and teaching using 3D printing and inexpensive electronics components. Using 3D printing, cheap microcomputers and some other components you could pick up at at your local electronics store, researchers have pioneered an open-source, do-it-yourself alternative to prohibitively expensive lab equipment. Source
  • Moon dust heading to auction after monster court battle

    Tech & Science CTV News
    NEW YORK - A bag containing traces of moon dust is heading to auction - surrounded by some fallout from a galactic court battle. The collection bag, used by astronaut Neil Armstrong during the first manned mission to the moon in 1969, will be featured Thursday at a Sotheby's auction in New York City of items related to space voyages. Source
  • SpaceX chief says 1st launch of big new rocket will be risky

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- SpaceX's chief says the first launch of its big new rocket is risky and stands "a real good chance" of failure. Founder Elon Musk told a space station research conference Wednesday he wants to set realistic expectations for the flight later this year from Cape Canaveral, Florida. Source
  • Aborigines in Australia longer than previously thought: study

    Tech & Science CTV News
    Australian Aborigines are believed to be custodians of the oldest continuous culture on the planet, but when they first arrived has been a contested issue. Previous estimates have ranged from 47,000 to 60,000 years ago. Source
  • News Feed at a cost? Facebook looking to create paywall system to let publishers charge for news

    Tech & Science Toronto Sun
    NEW YORK — Facebook is working on a way for news organizations to charge readers for articles they share and read on the social network. Facebook’s head of news partnerships, Campbell Brown, says the current plan is to require payments after reading 10 articles from a publisher through Facebook. Source
  • Facebook working on way to charge for reading news articles

    Tech & Science CTV News
    NEW YORK -- Facebook is working on a way for news organizations to charge readers for articles they share and read on the social network. Facebook's head of news partnerships, Campbell Brown, says the current plan is to require payments after reading 10 articles from a publisher through Facebook. Source