Security and privacy issues plague wearable fitness tracking devices

A new report is describing major security and privacy issues in several leading wearable fitness tracking devices and accompanying mobile applications. The research examined offerings by Apple, Basis, Fitbit, Garmin, Jawbone, Mio, Withings, and Xiaomi.

The report, Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security, finds that all studied fitness wearables except for the Apple Watch wirelessly emit a persistent unique identifier over Bluetooth. This leakage lets third parties, such as shopping centres or others interested in location-based monitoring, collect and map out people’s movements over time.

The research also found that two tracking applications exhibit vulnerabilities enabling third parties to access user data, while two other applications are susceptible to users falsifying their own activity levels.

The research involved analyzing data transmissions between fitness tracker mobile phone applications and the Internet, reverse engineering mobile applications, and examining Bluetooth metadata transmissions.

The report is a collaborative effort between Open Effect, a non-profit applied research group focusing on digital privacy and security, and the Citizen Lab at the Munk School of Global Affairs, University of Toronto.

“Most devices we studied do not implement Bluetooth privacy and this leaves users vulnerable to location-based surveillance. We hope our findings will help consumers make more informed decisions about how they use fitness trackers, help companies improve the privacy and security of their offerings, and help regulators understand the current landscape of wearable products,” said Andrew Hilts, Executive Director, Open Effect and Research Fellow, The Citizen Lab, Munk School of Global Affairs, and the University of Toronto.

The researchers sought contact with the seven fitness tracker companies whose products exhibited security vulnerabilities; Apple was not contacted because researchers found no technical vulnerabilities in the Apple Watch using their methodology.

Fitbit, Intel (Basis), and Mio responded and engaged the researchers in a dialogue. Fitbit further expressed interest in exploring the topic of implementing Bluetooth privacy features in its communications with the researchers.

“Wearable devices are marketed on their ability to improve fitness by collecting and transmitting health-related data. It is imperative that consumers understand the efforts companies have undertaken to be careful stewards of this data so they can choose products that enable healthier lifestyles without endangering persons’ privacy,” said Dr. Christopher Parsons, Postdoctoral Fellow at the Citizen Lab, Munk School of Global Affairs, and the University of Toronto.

As a result of this research, consumers concerned about their locational privacy are advised to only wear their fitness device while connected to their mobile device. Moreover, findings cast doubt on the reliability of data for insurance or evidentiary purposes.

Finally, certain applications by Garmin and Withings can expose fitness as well as biographical material (e.g. name, age, and gender) to third parties by transmitting information without encryption; users should evaluate whether they are comfortable with such practices that could expose their personal information to unauthorized parties.