Who will track the trackers?
The whole point of fitness wearables is their ability to monitor your activity—but they may be running your data straight into the hands of strangers.
A new study of the leading fitness trackers on the market found that most of these devices leak your data to a far wider audience than you might imagine—and, in some cases, allow others to alter your information.
Entitled “Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security,” the report is a collaboration between Canadian privacy watchdog Open Effect and the University of Toronto’s Citizen Lab. The teams looked at eight wearables: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivismart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and Xaomi Mi Band.
The study found that, in every case save for the Apple device, the wearables emitted a unique Bluetooth identifier that allowed a third-party to track the device’s movement over time if the device was not actively paired with another device.
The researchers did not find any security holes in Apple’s signature wearable.
Fitness wearables use the Bluetooth protocol to wirelessly transfer data over short distances to phones and other mobile devices. Bluetooth-enabled devices, like many fitness wearables, continually send out pieces of information as a way to indicate to other devices that they’re available to make a connection. In the case of the majority of the wearables studied by Citizen Lab and Open Effect, that information contained unique identifiers that allowed anyone receiving them to track the device’s location as it moved through a specific space.
The Apple Watch was the only device tested that continually randomized this identifier, making it significantly more difficult to track a specific unit over time.
Two of the devices used in the study, those made by Jawbone and Withings, allow for the falsification of fitness records. Data from fitness trackers are often used by insurance companies and in court cases, so the ability to fabricate records has the potential to call those uses into question. The Withings Health Mate and the Garmin Connect also have vulnerabilities that allow attackers not only access data, but alter or delete it entirely, the researchers found.
As a way to show how the data can be manipulated, the researchers reported that they sent Jawbone data stating that their test user took 10,000,000,000 steps in a single day. According to the computational search engine Wolfram Alpha, that’s the equivalent of walking 2.4 million miles.
While wearable fitness trackers originally just collected the number of steps someone took over the course of a day, newer versions record everything from sleep patterns to heart rate. That data isn’t just of interest to health-conscious users. It can also be used by insurance companies, law enforcement officials, data mining firms, and possibly even medical identity thieves.
“Consumers deserve to be better informed about fitness tracking systems’ privacy and security practices,” the report’s authors wrote, “to help them determine whether or not they are comfortable with how their fitness data is being used.”
The report noted a number of different instances when this sort of tracking could theoretically occur. If someone is walking around a shopping mall with a unpaired Fitbit, for example, the mall could pinpoint that person’s location and follow them as they move around a mall.
“Law enforcement agencies might also be interested in databases holding Bluetooth MAC addresses. In the case of the shopping mall, authorities might request access to a subset, or all of, the retained records,” the report notes.
“This has the effect of the collection of Bluetooth MAC information being used far in excess of the reason the devices were emitting advertising packets: to pair with a phone, in order for the user to track their fitness behavior. The shopping center could also decide to sell its customer data to a marketing agency or other data broker without first notifying customers. These agencies could collate multiple data sets together to weave a portrait about customer movements—all based on this … address and other uniquely identifying device identifiers.”
In one Pennsylvania court case last year, a woman’s claim that she was sexually assaulted was undermined by location data provided by her Fitbit. Evidence that information recorded by these devices can falsified or deleted should trigger a bit of skepticism regarding how this data is used in the world of criminal justice—in addition to the insurance sector, where this data is used to judge individual health risk and set premiums—and especially as the prevalence of wearable is poised to expand dramatically.
A 2014 report by Juniper Research found that, at the time of its publication, global revenue generated by wearable devices was around $4.5 billion. By 2019, the report authors expect that number to explode to over $53 billion.
Andrew Hilts, the lead researcher on the study, provided a handful of recommendations about steps the the owners of fitness trackers can take to safeguard their privacy. “Users of Garmin Connect should refrain from syncing with, and using the application on untrusted networks, such as free public WiFi or a coffee shop access point,” he noted. “Users of most devices, save the Apple Watch, might consider keeping their fitness wearables constantly connected to their phones while they are out and about. This would involve keeping Bluetooth turned on at all times. The most important thing consumers can do is to let fitness tracking companies know of any concerns users might have about their privacy and security.”
A Fitbit spokesperson admitted that Bluetooth security is a relatively new area that the company is actively working on improving, but pushed back against the idea that its product was a significant threat to its users’ privacy.
“It’s important to note that Open Effect’s finding can only be used to confirm that an active tracker is nearby. No personally identifiable information is shared or accessible. It’s highly unlikely that a hacker could stumble across a particular device, know who it belongs to, and track the device’s movement. We are not aware of any consumer reports, inquiries or security incidents related to this issue and will continue to monitor it carefully.”
The report’s authors contacted all the of the companies in whose products they found security issues. They noted that Fitbit and Basis, which is owned by Intel, actively engaged with an interest in improving the security of their products.
Photo by Ashstar01/Wikimedia Commons (CC BY-SA 3.0)