Media Releases

U of T study finds many fitness trackers vulnerable to monitoring

February 2, 2016

Toron­to, ON — Today, researchers announce the release of a new report describ­ing major secu­ri­ty and pri­va­cy issues in sev­er­al lead­ing wear­able fit­ness track­ing devices and accom­pa­ny­ing mobile appli­ca­tions. The research exam­ined offer­ings by Apple, Basis, Fit­bit, Garmin, Jaw­bone, Mio, With­ings, and Xiao­mi.

The report, Every Step You Fake: A Com­par­a­tive Analy­sis of Fit­ness Track­er Pri­va­cy and Secu­ri­ty, finds that all stud­ied fit­ness wear­ables except for the Apple Watch wire­less­ly emit a per­sis­tent unique iden­ti­fi­er over Blue­tooth. This leak­age lets third par­ties, such as shop­ping cen­tres or oth­ers inter­est­ed in loca­tion-based mon­i­tor­ing, col­lect and map out people’s move­ments over time. The research also found that two track­ing appli­ca­tions exhib­it vul­ner­a­bil­i­ties enabling third par­ties to access user data, while two oth­er appli­ca­tions are sus­cep­ti­ble to users fal­si­fy­ing their own activ­i­ty lev­els.

The research involved ana­lyz­ing data trans­mis­sions between fit­ness track­er mobile phone appli­ca­tions and the Inter­net, reverse engi­neer­ing mobile appli­ca­tions, and exam­in­ing Blue­tooth meta­da­ta trans­mis­sions.

The report is a col­lab­o­ra­tive effort between Open Effect, a non-prof­it applied research group focus­ing on dig­i­tal pri­va­cy and secu­ri­ty, and the Cit­i­zen Lab at the Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to. Open Effect has pre­vi­ous­ly pub­lished research on the secu­ri­ty of ad track­ing cook­ies, and devel­oped Access My Info, an appli­ca­tion that makes it easy for Cana­di­ans to file legal requests for access to their per­son­al infor­ma­tion.

“Most devices we stud­ied do not imple­ment Blue­tooth pri­va­cy and this leaves users vul­ner­a­ble to loca­tion-based sur­veil­lance. We hope our find­ings will help con­sumers make more informed deci­sions about how they use fit­ness track­ers, help com­pa­nies improve the pri­va­cy and secu­ri­ty of their offer­ings, and help reg­u­la­tors under­stand the cur­rent land­scape of wear­able prod­ucts.”
Andrew Hilts, Exec­u­tive Direc­tor, Open Effect and Research Fel­low, The Cit­i­zen Lab, Munk School of Glob­al Affairs, and the Uni­ver­si­ty of Toron­to

The researchers sought con­tact with the sev­en fit­ness track­er com­pa­nies whose prod­ucts exhib­it­ed secu­ri­ty vul­ner­a­bil­i­ties; Apple was not con­tact­ed because researchers found no tech­ni­cal vul­ner­a­bil­i­ties in the Apple Watch using their method­ol­o­gy. Fit­bit, Intel (Basis), and Mio respond­ed and engaged the researchers in a dia­logue. Fit­bit fur­ther expressed inter­est in explor­ing the top­ic of imple­ment­ing Blue­tooth pri­va­cy fea­tures in its com­mu­ni­ca­tions with the researchers.

“Wear­able devices are mar­ket­ed on their abil­i­ty to improve fit­ness by col­lect­ing and trans­mit­ting health-relat­ed data. It is imper­a­tive that con­sumers under­stand the efforts com­pa­nies have under­tak­en to be care­ful stew­ards of this data so they can choose prod­ucts that enable health­i­er lifestyles with­out endan­ger­ing per­sons’ pri­va­cy.”
Dr. Christo­pher Par­sons, Post­doc­tor­al Fel­low at the Cit­i­zen Lab, Munk School of Glob­al Affairs, and the Uni­ver­si­ty of Toron­to

As a result of this research, con­sumers con­cerned about their loca­tion­al pri­va­cy are advised to only wear their fit­ness device while con­nect­ed to their mobile device. More­over, find­ings cast doubt on the reli­a­bil­i­ty of data for insur­ance or evi­den­tiary pur­pos­es. Final­ly, cer­tain appli­ca­tions by Garmin and With­ings can expose fit­ness as well as bio­graph­i­cal mate­r­i­al (e.g. name, age, and gen­der) to third par­ties by trans­mit­ting infor­ma­tion with­out encryp­tion; users should eval­u­ate whether they are com­fort­able with such prac­tices that could expose their per­son­al infor­ma­tion to unau­tho­rized par­ties.

Con­cerned users can con­tact com­pa­nies them­selves for fur­ther details on their progress in resolv­ing these secu­ri­ty vul­ner­a­bil­i­ties:

Read the full report: https://openeffect.ca/reports/Every_Step_You_Fake.pdf

For media inquiries, con­tact:
Dena Allen
Pub­lic Affairs & Engage­ment
Munk School of Glob­al Affairs
Tel: 416.946.0123
Mobile: 416.795.3902
dena.allen@utoronto.ca

Guide on Cit­ing In Media
Title:
Every Step You Fake: A Com­par­a­tive Analy­sis of Fit­ness Track­er Pri­va­cy and Secu­ri­ty
Pub­lished By: Open Effect and Cit­i­zen Lab at the Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to
Authors: Andrew Hilts, Christo­pher Par­sons, Jef­frey Knock­el.
Fund­ed By: Office of the Pri­va­cy Com­mis­sion­er of Canada’s Con­tri­bu­tions Pro­gram
Pub­li­ca­tion Date: 2 Feb­ru­ary 2016
Report URL: https://openeffect.ca/fitness-tracker-privacy-and-security