Fitness trackers are extremely popular these days, especially at the beginning of the year when most of us are still holding fast to our new year's resolution to stay healthy. But did you know that fitness trackers don't just track your health stats? They also let other people track you.
That's what Canadian researchers found when they studied fitness trackers from eight different manufacturers and their companion apps: Apple, Basis, Fitbit, Garmin, Jawbone, Mio, Withings, Xiaomi.
Researchers found that all the devices they studied except for the Apple Watch transmit a unique Bluetooth identifier that allows the devices to be tracked by beacons. This is troubling because beacons are increasingly being used in commerce; some retailers and shopping malls are using them to recognize and profile customers.
The Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse 02, and Xiaomi Mi Band, all allow users to be tracked through Bluetooth whether or not the device is paired with or connected to a smartphone. The Apple Watch was the only device to pass this test, because they use a feature of the Bluetooth LE standard that prevents tracking.
The companion apps for these wearables also didn't stand up to scrutiny in terms of security and digital privacy. Some apps leaked login credentials, transmitted activity tracking information through lax security making the information susceptible to tampering or interception, or let users submit fake activity tracking information.
The Canadian researchers were able to spy on traffic between the app and servers of all except for two of the apps: Apple Watch 2.1 and Intel's Basis Peak 1.14.0. They even observed encrypted data sent via HTTPS.
Not only do we have to worry about tracking information being insecure or invasive targeted marketing, but this also spells bad news for health insurance companies and the courts. Some health insurers have used fitness tracker data to lower premiums and some courts have accepted fitness tracker data as evidence in cases.
The Anthem and Excellus breaches show us that health data is ripe for hacking and highly sought after. And security concerns in the healthcare sector are far from over, a new report from Arxan Technologies found that 84 percent of US FDA-approved health apps do not adequately address two security risks of the Open Web Application Security Project's tope 10 risks.
So what does this mean for us?
Obviously, we don't expect you to stop using your wearable fitness tech, especially if it's really helping you stick to your fitness goals. However, if you're in the market for a fitness tracker or looking to upgrade, you may want to consider the Apple Watch since it passed the study's audit.
If you have one of the other fitness trackers mentioned do two things: be cautious about the information the tracker and app has access to and keep checking for any updates for the app. With any kind of tech device you should be careful about the information you allow it to access; think about the information you input to the companion app of your device and decide whether that information could compromise your security should it pass through lax security protocols on its way to the server and be intercepted. You should also download any new updates to the app in case the manufacturers of your device implement stricter security as a result of this study.
If you want to learn more about digital privacy and assess your personal risk, check out Privacy Now. You can get personalized recommendations to better guard your privacy and minimize your risks to fraud, for free!