By: Andrew Hilts, Christopher Parsons, and Jeffrey Knockel.
Cross posted at Open Effect.
Preface: Key Technical Findings
Fitness tracking devices monitor heartbeats, measure steps, sleep, and tie into a larger ecosystem of goal setting, diet tracking, and other health activities. Every Step You Fake investigates the privacy and security properties of eight popular wearable fitness tracking systems. We use a variety of technical, policy, and legal methods to understand what data is being collected by fitness tracking devices and their associated mobile applications, what data is sent to remote servers, how the data is secured, with whom it may be shared, and how it might be used by companies.
This research is led by Citizen Lab research partner Open Effect, with significant contributions from the Citizen Lab. The project is funded by the Office of the Privacy Commissioner of Canada’s Contributions Program.
Today, we are releasing two sections of the report so that consumers can know what companies are doing to secure their personal information. The two sections being released are the study background, and our technical methodology and findings.
Our key technical findings include:
- Seven out of eight fitness tracking devices emit persistent unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device
- Jawbone and Withings applications can be exploited to create fake fitness band records. Such fake records call into question the reliability of that fitness tracker data use in court cases and insurance programs.
- The Garmin Connect applications (iPhone and Android) and Withings Health Mate (Android) application have security vulnerabilities that enable an unauthorized third-party to read, write, and delete user data
- Garmin Connect does not employ basic data transmission security practices for its iOS or Android applications and consequently exposes fitness information to surveillance or tampering
The researchers sought contact with the seven fitness tracker companies whose products exhibited security vulnerabilities; Apple was not contacted because researchers found no technical vulnerabilities in the Apple Watch using their methodology. Fitbit, Intel (Basis), and Mio responded and engaged the researchers in a dialogue. Fitbit further expressed interest in exploring the topic of implementing Bluetooth privacy features in its communications with the researchers.
Fitness data can provide detailed insights into people’s lives. It is used in an increasing number of areas such as insurance, corporate wellness, and courts of law. Consumers deserve to be better informed about fitness tracking systems’ privacy and security practices to help them determine whether or not they are comfortable with how their fitness data is being used.