Fitness trackers are leaking lots of your data, study finds

Flaws in data security will also limit the usefulness of wearables' data for health insurers and courts

Some of the more popular sports wearables don't just let you track your fitness, they let other people track you.

That's what Canadian researchers found when they studied fitness-tracking devices from eight manufacturers, along with their companion mobile apps.

All the devices studied except for the Apple Watch transmitted a persistent, unique Bluetooth identifier, allowing them to be tracked by the beacons increasingly being used by retail stores and shopping malls to recognize and profile their customers.

The revealing devices, the Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2 and Xiaomi Mi Band, all make it possible for their wearers to be tracked using Bluetooth even when the device is not paired with or connected to a smartphone, the researchers said. Only the Apple device used a feature of the Bluetooth LE standard to generate changing MAC addresses to prevent tracking.

In addition, companion apps for the wearables variously leaked login credentials, transmitted activity tracking information in a way that allowed interception or tampering, or allowed users to submit fake activity tracking information, according to an early draft of the report, "Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security." It was published by Canadian non-profit Open Effect, and researched with help from the Citizen Lab at the Munk School of Global Affairs, University of Toronto.

The apps are typically used to gather data from the fitness tracking device and upload it to a central server, where users can analyze their performance and perhaps compare it with that of other device wearers.

Using a man-in-the-middle attack, researchers were able to spy on traffic between the apps and the servers for all but two of the apps, Apple's Watch 2.1 and Intel's Basis Peak 1.14.0. For the six remaining apps, this allowed them to observe even encrypted data sent via HTTPS.

Apple and Intel used a technique called certificate pinning to avoid being fooled by the fake security certificates presented by the researchers. Intel has been highlighting the risks of poorly secured wearable devices since at least 2014, when it published the report "Safeguarding the Future of Digital America 2025."

The Canadian researchers analyzed the traffic they observed and determined that the Garmin app used HTTPS only for signup and login, sending all other data in the clear, so that third parties could read, write or delete it.

Users of the Jawbone and Withings apps could falsify their fitness records, perhaps allowing them to erase evidence of medical problems or fake their sporting prowess. This is bad news for health insurers, some of which have begun to use fitness tracker data to offer lower premiums, and courts, which have admitted the data as evidence in a number of cases.

The authors are still working on the parts of their report dealing with policy implications, but noted that the significance of the security flaws depends on the jurisdiction where the fitness trackers are used. While the trackers are not considered medical devices, and thus escape the most stringent aspects of U.S. privacy law, the data they generate is considered personal information under European data protection law and so ought to be protected, the researchers said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Apple watch

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Peter Sayer

Peter Sayer

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?