Some fitness trackers vulnerable to tracking, tampering, new report finds

Some popular fitness trackers that monitor a user's personal physical activity levels are vulnerable to long-term tracking and surveillance, and possible tampering, according to a new report.

See Full Article

The report, released Tuesday by the University of Toronto's Citizen Lab and not-for-profit research group Open Effect, looked at eight different fitness trackers and their corresponding apps to determine their privacy and security properties.

The trackers examined were: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and the Xiaomi Mi Band. Each tracker's corresponding apps were also examined.

The researchers looked at what security measures are in place for each device with regard to data collection, storage, and transmission practices.


The report found that all of the devices, with the exception of the Apple Watch, emit persistent unique IDs via their embedded Bluetooth radios. These IDs can expose the wearer to long-term tracking of their location, even when the device is not paired and connected to a mobile device, the report says.

The Apple Watch is the only model included in the study that randomizes its Bluetooth ID, meaning it is impossible to track the device over the long term.

The report also found that the apps associated with the Jawbone and Withings devices can be exploited to create fake fitness records. The potential to create fake records is problematic, as data collected from personal fitness trackers could be potentially used in health insurance programs, and court cases.

The Garmin Connect apps and the Withings Health Mate Android app have security vulnerabilities that enable unauthorized third-parties to read, write, and delete user data, the report finds.

The report also found that the Garmin device does not employ data encryption security practices for its iOS or Android apps. This means that data collected by the device is vulnerable to surveillance or tampering, the report finds.

The researchers attempted to contact all of the device manufacturers, with the exception of Apple, because they found no technical vulnerabilities with the Apple Watch.

In each case, the researchers wrote an email to inform each company about any security vulnerabilities that they discovered in their products. The companies were contacted in November, 2015, and notified that the researchers were planning on publishing their report at the end of January, 2016.

Of the companies that engaged with the researchers, Fitbit, Intel (for the Basis Peak), and Mio responded and engaged the researchers in a dialogue, the report says.

"Fitbit stated it was interested in implementing (Bluetooth) LE Privacy and that their wearable devices could support it," the report said. "However, the company asserted that the fragmented Android ecosystem, in which some devices do not support LE Privacy, prevent them from implementing the feature."

The report said the security team at Intel (the owners of Basis) stated that the primary use case for the Peak wearable involved the device being continually connected over Bluetooth to the user's phone. The report said the company provided “no indication that they intended to fix the emission of a persistent (Bluetooth) MAC address through advertising packets, when the device was not connected to a mobile device.”

According to the report, Garmin, Withings, Jawbone and Xiaomi did not respond to the researchers’ attempts to contact their security teams about the issues raised in the report.

What can consumers do?

Andrew Hilts, one of the authors of the report, told that consumers concerned about the security of their personal health information can take a few steps to boost their security.

To help mitigate the risk of their device emitting a persistent Bluetooth ID, he suggests users keep their tracker connected to their mobile phones at all times.

As well, people who use the Garmin device and apps, and who are concerned about the security of their data, should only use the app when they're connected to a closed network that they trust, Hilts said.

Finally, Hilts recommends users who are concerned about their privacy contact the manufacturers and let the companies know about their concerns.

In a statement posted to The Citizen Lab website, the researchers say that consumers deserve to be better informed about their device's "privacy and security practices" to help them determine whether or not they are comfortable with how their fitness data is being used.


Latest Tech & Science News

  • Calgary Zoo opens Canada's 1st greater sage-grouse breeding facility

    Tech & Science CBC News
    There's some good news for one of Canada's most endangered birds. The Calgary Zoo has just opened the first captive breeding facility in the country to help restore the greater sage-grouse population, which experts estimate has fallen below 400 individuals. Source
  • From election campaigns to dishonest monkeys: Why we're hard-wired to lie

    Tech & Science CBC News
    In what will likely be remembered as the most surreal election campaign in modern American history, one word has been thrown around more than most — liar. Whether it's Donald Trump accusing Hillary Clinton of being a "world-class liar" or Clinton saying that Trump's political career is "founded on [an] outrageous lie", dishonesty has been a major talking point of the 2016 presidential contest. Source
  • Bye, Bao Bao! Later, Mei Lun and Mei Huan! Pandas leaving U.S.

    Tech & Science CTV News
    WASHINGTON -- The panda population in the United States is dropping by three. Atlanta's zoo announced Thursday that its 3-year-old giant panda twins will leave the zoo Nov. 3. And the National Zoo in Washington said it will be saying bye-bye to panda cub Bao Bao in 2017. Source
  • Apple: Many 'genuine' Apple products on Amazon are fake

    Tech & Science CTV News
    SAN FRANCISCO -- Apple says it has been buying Apple chargers and cables labeled as genuine on and has found nearly 90 per cent of them to be counterfeit. The revelation comes in a federal lawsuit filed by Apple against a New Jersey company on Monday over what Apple says are counterfeit products that were sold on Amazon. Source
  • The science of lying: Why dishonesty has been a major part of the 2016 election

    Tech & Science CBC News
    In what will likely be remembered as the most surreal election campaign in modern American history, one word has been thrown around more than most — liar. Whether it's Donald Trump accusing Hillary Clinton of being a "world-class liar" or Clinton saying that Trump's political career is "founded on [an] outrageous lie", dishonesty has been a major talking point of the 2016 presidential contest. Source
  • Nintendo Switches things up

    Tech & Science Toronto Sun
    Talk about a wait and Switch. After many months of silence about their upcoming new video game console, Nintendo has taken the wraps off the Nintendo Switch, a games machine designed for use both at home and on the road. Source
  • 'Invulnerability illusion' leaves younger people exposed to web frauds

    Tech & Science CBC News
    If you're a younger person who thinks older people are more likely to get scammed online than you are, your dodgy prince awaits. A recent Better Business Bureau study found 69 per cent of online scam victims are under 45 — and millennials are more likely to get conned than baby boomers. Source
  • New collaboration features to be unveiled for Microsoft Office

    Tech & Science CTV News
    Microsoft is to hold a press event focused on the Office suite in New York on November 2, which will follow a briefing on the latest developments for Windows 10 a week earlier. Microsoft CEO Satya Nadella, along with Office corporate vice president Kirk Koenigsbauer, is set to announce new features for the Office suite and its online services. Source
  • Stephen Hawking opens British artificial intelligence research hub

    Tech & Science CTV News
    Professor Stephen Hawking on Wednesday opened a new artificial intelligence research centre at Britain's Cambridge University. The Leverhulme Centre for the Future of Intelligence (CFI) will delve into AI applications ranging from increasingly "smart" smartphones to robot surgeons and "Terminator" style military droids. Source
  • Amazon streaming TV devices won't be so Amazon-focused

    Tech & Science CTV News
    NEW YORK -- Amazon's own video store will no longer have the starring role on the company's Fire TV streaming devices. Software updates coming this year will give movies and TV shows from Netflix, HBO and other competitors equal prominence on the devices' home screen. Source