Fit but who knows it? Wearable fitness trackers giving away personal data – study

Fitbit Blaze watches are displayed during the 2016 CES trade show in Las Vegas, Nevada © Steve Marcus
A new study reveals weak personal data protection on common wearable exercise monitors. Not only are users susceptible to inadvertently giving up passwords or health information, but insurance companies may suspect their data reports to be hacked.

The University of Toronto’s Munk School of Global Affairs and its Citizen Lab conducted tests on eight fitness trackers: Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and Xiaomi Mi Band. Researchers attempted to hack each device’s Bluetooth radio.

"In the course of our technical investigations into transmission security, data integrity, and Bluetooth privacy, we discovered several issues that confirm concerns about the potential uses of fitness tracking data beyond the typical case of a user monitoring their own personal wellness," read the study, titled "Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security" and published by Canadian non-profit Open Effect.

Only the Apple Watch did not reveal its MAC address, which is information used by other Bluetooth beacons often employed by retailers to gather data on potential customers. When prompted to hand over its MAC address, the Apple Watch randomly creates false locations to throw off any tracking. The Apple Watch is also the only “smart” device among the tested group.

Beyond the devices themselves giving away a user’s location, the apps installed not only relinquished usernames and passwords, but also were vulnerable to being fed incorrect data when a research hacker accessed transmissions between smartphones or company servers. The ramifications are broadly twofold: Users can be victimized or they themselves could conceivably boost their own health figures to lower insurance rates.

The study found Garmin's Vivosmart protected login credentials via HTTPS but did not guard other data the same way. Fitness data on the Jawbone Up 2 and Withings Pulse O2 were found to be easily manipulated.

"The fitness data generated by several wearable devices can be falsified by motivated parties, calling into question the degree to which this data should be relied upon for insurance or legal purposes," the study read.

Fitness tracker sales have yet to see any impact from reports of inadequate security. Last year, market research company The NPD Group reported annual sales of the trackers increased by 85 percent over 2014, even though prices also increased.