Jogging image

Fitness Tracker Vulnerabilities and How to Deal with Them

Cybercriminals have successfully hacked Fitbit user accounts. Learn about the vulnerabilities related to fitness trackers as well as what you can do to keep your data secure.

If Fitbit Charge users were wearing their fitness trackers when they heard the news about Fitbit user accounts being hacked, they probably saw their heart rates increase. On January 6, 2016, BuzzFeed News broke the story on how cybercriminals hacked multiple Fitbit user accounts. They changed email addresses and usernames as well as tried to swindle Fitbit out of replacement items under warranty.

The cybercriminals also gained access to Fitbit users’ data, according to BuzzFeed News. The data includes activity-related metrics, such as the number of steps taken and calories burned. It also includes where users are performing those activities and what time they usually go to sleep if their devices have Global Positioning System (GPS) and sleep-tracking functionality.

This cyberattack begs the question: What are the fitness trackers’ vulnerabilities and how can you deal with them? To answer it, you first need to know how they work.

How Fitness Trackers Work

Fitness trackers use various sensors that continuously generate data about the wearer. Because the devices need to be small and lightweight, they do not store or process this data. Instead, they typically use short-range wireless transmissions to send the data to smartphones (or computers) for storage. Apps on these devices analyze the data and display the results. Oftentimes, these apps also send a copy of the data to cloud-based servers hosted by the fitness tracker vendors. Besides storing the data, the vendors sometimes offer additional services, such as more detailed analyses.

Because fitness trackers work this way, there are security vulnerabilities on several fronts:

  • When the data is sent to the smartphone
  • When the data is sent to the vendor’s cloud servers
  • When the data is stored in the cloud

Problems That Can Occur When the Data Is Sent to the Smartphone

Just about every fitness tracker uses a Bluetooth connection to send its data to the user’s smartphone. If fitness trackers do not take the appropriate measures to secure this connection, problems can arise.

To see whether fitness trackers were taking the necessary precautions, AV-TEST researchers tested the Bluetooth connections on nine fitness trackers. They discovered that two of the fitness trackers adequately secured the connections, but the rest fell short. Common problems included no authentication process or an inadequate one between the fitness tracker and smartphone. Another common problem was that the Bluetooth connection was always active and thus visible to other Bluetooth-enabled devices. The worst offender let any Bluetooth-enabled device connect to it. Once the connection was made, it voluntarily handed over the user’s data, which was not encrypted or protected in any way.

While the AV-TEST researchers pointed out common Bluetooth vulnerabilities, other researchers have proved that those vulnerabilities can be exploited:

  • A Kaspersky Lab researcher proved that it is possible to connect to fitness trackers, execute commands, and even extract data when the devices have inadequate authentication methods.
  • A Fortinet researcher developed a way to deliver malware to a fitness tracker through its Bluetooth port. However, only a small amount of malicious code (up to 17 bytes) can be delivered, according to the NewsFactor Network. This limits the types of attacks that could be carried out.
  • Symantec researchers proved that fitness trackers using Bluetooth Low Energy (LE) connections were susceptible to location tracking. When in use, a Bluetooth LE-enabled device broadcasts a signal to advertise itself to nearby devices. The Symantec researchers built Bluetooth scanners to find these signals. They then successfully used the scanners to locate some fitness trackers and track their owners’ whereabouts at a major European running event and in public areas in Dublin, Ireland, and Zurich, Switzerland.

Problems That Can Occur When the Data Is Sent to the Vendor

Just like any other type of application, fitness tracker apps are susceptible to attacks if they are not properly secured. One major area of concern is how the apps send data to the vendor’s servers.

AV-TEST researchers found that all nine of the fitness tracker apps they tested properly secured any data sent through the Internet. Besides using a secure connection, the apps encrypted the fitness data as well as the users’ credentials.

Unfortunately, that is not always the case. When Symantec researchers analyzed some popular smartphone health and fitness apps, they found that 20 percent of them transmitted users’ login credentials in plain text. This gives cybercriminals the opportunity to access users’ account information as well as their health and fitness data. If the app users re-use their login credentials for other online accounts, the cybercriminals could potentially gain access to those accounts as well. Further, transmitting credentials in plain text makes users more susceptible to other types of attacks, such as Denial of Service (DoS). In a DoS attack, cybercriminals try to prevent users from accessing a service by overwhelming it with service requests.

Problems That Can Occur When the Data Is in the Cloud

Fitness tracker vendors commonly store users’ fitness data in their cloud-based servers. This can be problematic in two regards.

First, if the vendors do not properly secure their servers, there could be data breaches. Cybercriminals will likely be interested in this data, particularly if it is collocated with other personal information such as payment card data.

Perhaps a more imminent threat is the sale of fitness data. In the United States, there are currently no federal regulations preventing vendors from selling fitness data to marketing firms, employers, health insurers, and other third parties. They can even sell it without the users’ consent or knowledge. One U.S. senator has asked the U.S. Federal Trade Commission to institute regulations that require fitness-tracker and fitness-app vendors to inform users of such sales and give users the chance to opt out. In other words, these vendors would need to post a privacy policy.

When Symantec researchers were researching smartphone health and fitness apps, they found that 48 percent of the app vendors had posted privacy policies. Most of these policies used generic privacy statements with vague promises of keeping user data private.

What You Can Do to Protect Your Fitness Data

Although fitness trackers have security vulnerabilities on several fronts, you can take some precautions to keep your data secure:

  • Do some research on the fitness tracker to see if there are any known problems.
  • Make sure there is an adequate authentication process used in the communications between the fitness tracker and the smartphone.
  • Verify that the fitness tracker sends out a Bluetooth signal only when needed.
  • Confirm that the fitness tracker app uses secure protocols (e.g., HTTPS) when transmitting data over the Internet.
  • Use full encryption if available.
  • Check to see if the fitness tracker vendor has a privacy policy that states it will not sell users’ data to third parties.
  • Make sure that the fitness tracker vendor uses adequate security measures to protects its servers.
  • Use strong passwords for your online accounts.
  • Do not use the same password for different accounts.
  • Install updates for your smartphone’s operating system and fitness tracker app as soon as they are available.