Security Problems Identified within Fitness Trackers

Some security problems identified within fitness trackers might affect our personal privacy.

Several security problems identified within fitness trackers have led researchers to believe that the devices can also be used by others to determine your location. What is even more worrying is that this seems to be a universal problem, regardless of the manufacturer.

The study was published by Open Effect and the research was conducted with the help of University of Toronto’s Global Affairs School Munk by using their Citizen Lab. The Canadian researchers analyzed trackers coming from eight different companies. They discovered only one that did not transmit a persistent Bluetooth identifier: the Apple Watch. Basis Peak, Mio Fuse, Garmin Vivosmart, Xiaomi Mi Band, Fitbit Charge HR, Jawbone Up 2 and Withings Pulse O2 can be tracked by special beacons frequently used by shopping malls and retails stores to identify their customers.

Furthermore, the wearer can be tracked even if their device is not connected via Bluetooth to a smartphone. On the other hand, the Apple Watch has a special feature that generates changing addresses in order to prevent tracking.

Unfortunately, it seems there is more information leaked, and not only the user’s location. Others can snoop around and find your login credentials, which is made possible by companion applications. These apps can even allow users to create fake tracking information. Researchers were able to gather information from the data traffic between apps and servers for six of the apps. The ones they could not bypass were Apple Watch 2.1 and Basis Peak 1.14.0 from Intel.

The two companies seem mostly concerned about security holes and thus implemented the certificate pinning technology in order to bypass fake security certificates. Intel has previously published a report on the matter in 2014.

The researchers had to use fake security certificates in order to observe the activity of the trackers, including encrypted data. Thus, they discovered that Garmin Vivosmart uses HTTPS only for login and sign up processes, while the fitness records of Withings Pulse O2 and Jawbone Up 2 can easily be altered.

The security problems identified within fitness trackers are bad news in the current context of virtual privacy and security. Even though such data is used by some health insurers, the trackers are not medical devices and not all aspects of the privacy law apply to them in the United States. However, the data that is generated by trackers is personal information according to the European data protection law, and thus measures must be taken.

Image Source: Digital Trends