Holy crap, is your Fitbit giving away all your fitness data? That’s what a new study from cybersecurity researchers at the University of Toronto would have you believe. The report tested eight popular wearables to see how secure (or not) they are. Here’s the list of included devices:
- Fitbit Charge HR
- Apple Watch
- Basis Peak
- Garmin Vivosmart
- Jawbone Up 2
- Withings Pulse O2
- Xiaomi Mi Band
- Mio Fuse
Its findings were a bit more complicated than the headlines (“Wearable security flaws revealed in study”) suggest. So what did the researchers find? Not a lot, but the concrete information can be broken into three main categories.
#1. Bluetooth Tracking
Should You Be Worried? No.
The study claims that because these devices pair with your phone via Bluetooth, it exposes you to potential location tracking. That’s kinda true, but it’s not nearly as worrisome as it sounds. Bluetooth radios broadcast over a very short range—around 30 feet under ideal conditions—so if someone wanted to track you they would have to be very close to you. Furthermore, none of your personal data is exposed—just the name of your Bluetooth device (e.g. FitbitCharge74354B).
So what’s the big deal? Stores could theoretically use this information to track when a person comes back multiple times. It wouldn’t know who you were, or anything about you, just that someone who had been there before is there again. Maybe a very sophisticated program could cross-reference that data with who made purchases on that same day, and then, aha! They know who that Fitbit belongs to! But ultimately, why would a company go through that trouble? They already know who you are when you run your credit card. Basically, I give this worry a very large “Yawn” in terms of how worried you should actually be.
For what it’s worth, the Apple Watch got better ratings than the others because it uses a randomized Bluetooth ID instead of a static one. Should you care? Probably not.
#2. Workout Faking
Should You Be Worried? Not really.
A few of the trackers (or their software suites, rather) allow you to tamper with your results. We’re talking about the Garmin Vivosmart, the Jawbone Up 2, and the Withings Pulse O2 specifically. You could have been sitting on the couch all day, eating pie, and then later say that you did a 10-mile run and have it show up in your fitness profile. I give this a Scary Factor Rating of 0.5 out of 10.
The researchers claim that this could be used to lie to insurance companies, if perhaps someone had negotiated a lower policy-rate based on being able to prove activity levels. Well, there aren’t a whole lot of insurance companies willing to give people a break based on activity-tracker step counts. Workouts are easy enough to fake just by shaking your hand for five minutes. Don’t believe me? Skip to 2:09 in this video I made for Wired last year.
The only thing that gives me pause is that activity tracker data could be used as evidence in a court case. As in: “I couldn’t have been involved in a hit-and-run, your honor, because I was on a Stairmaster at the time, see?” I guess that’s a little bit scary, but it could easily be fixed by showing that workout activity was added manually instead of via an upload directly from the tracker. So make that update, fitness tracker companies.
In practice, I find this to be a handy feature. I’ve gone for long walks, hikes, or runs, and had my activity tracker run out of batteries, or I forgot to put it on in the morning. Being able to enter in an approximation of what I did helps me keep track of how many calories I burned. It’s especially great if you swim and your tracker isn’t waterproof.
#3. Insecure Data Transmission
Should You Be Worried? Maybe a bit.
Okay, so this one isn’t good. Here, researchers studied how the tracker’s smartphone app sends data to Internet-based servers. Most of the trackers received high marks, with two exceptions. Here’s what the report says:
“The large exception is the Garmin Connect applications for both Android and iOS, which did not encrypt the transmission of fitness data over the Internet. Garmin Connect only employed HTTPS for account creation and sign on purposes. Withings Health Mate uses HTTPS for most functions save for when a user attempts to share their fitness dashboard with a contact. As a result, important user login session information to Withings’ servers is transmitted insecurely.”
Withings immediately reacted by pulling that functionality from the app and it’s working on patching the security hole, whereupon it’ll bring the feature back. The Garmin stuff is a little more troubling. It transmits your user name and some workout details insecurely over the Internet, which means that if someone were looking for it, they might be able to snatch it, particularly if you were connected via a shared Wi-Fi network.
The study hasn’t stated what data, specifically, is included, but if GPS data is in there then that’s a major problem. As someone who often begins and ends his workouts from his front door, it worries me that someone could find out where I live or even where and when I’m likely to be running. Garmin has not yet responded to the study, but hopefully it’s scrambling to patch that vulnerability ASAP.
Overall, these findings aren’t terribly troubling, but it’s good to be aware of what the gadgets we wear are sharing without our knowledge.