Fitness trackers are leaking lots of your data, study finds

Flaws in data security will also limit the usefulness of wearables' data for health insurers and courts

Some of the more popular sports wearables don't just let you track your fitness, they let other people track you.

That's what Canadian researchers found when they studied fitness-tracking devices from eight manufacturers, along with their companion mobile apps.

All the devices studied except for the Apple Watch transmitted a persistent, unique Bluetooth identifier, allowing them to be tracked by the beacons increasingly being used by retail stores and shopping malls to recognize and profile their customers.

The revealing devices, the Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2 and Xiaomi Mi Band, all make it possible for their wearers to be tracked using Bluetooth even when the device is not paired with or connected to a smartphone, the researchers said. Only the Apple device used a feature of the Bluetooth LE standard to generate changing MAC addresses to prevent tracking.

In addition, companion apps for the wearables variously leaked login credentials, transmitted activity tracking information in a way that allowed interception or tampering, or allowed users to submit fake activity tracking information, according to an early draft of the report, "Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security." It was published by Canadian non-profit Open Effect, and researched with help from the Citizen Lab at the Munk School of Global Affairs, University of Toronto.

The apps are typically used to gather data from the fitness tracking device and upload it to a central server, where users can analyze their performance and perhaps compare it with that of other device wearers.

Using a man-in-the-middle attack, researchers were able to spy on traffic between the apps and the servers for all but two of the apps, Apple's Watch 2.1 and Intel's Basis Peak 1.14.0. For the six remaining apps, this allowed them to observe even encrypted data sent via HTTPS.

Apple and Intel used a technique called certificate pinning to avoid being fooled by the fake security certificates presented by the researchers. Intel has been highlighting the risks of poorly secured wearable devices since at least 2014, when it published the report "Safeguarding the Future of Digital America 2025."

The Canadian researchers analyzed the traffic they observed and determined that the Garmin app used HTTPS only for signup and login, sending all other data in the clear, so that third parties could read, write or delete it.

Users of the Jawbone and Withings apps could falsify their fitness records, perhaps allowing them to erase evidence of medical problems or fake their sporting prowess. This is bad news for health insurers, some of which have begun to use fitness tracker data to offer lower premiums, and courts, which have admitted the data as evidence in a number of cases.

The authors are still working on the parts of their report dealing with policy implications, but noted that the significance of the security flaws depends on the jurisdiction where the fitness trackers are used. While the trackers are not considered medical devices, and thus escape the most stringent aspects of U.S. privacy law, the data they generate is considered personal information under European data protection law and so ought to be protected, the researchers said.

Join the PC World newsletter!

Error: Please check your email address.

Tags Apple watch

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?