U of T study finds many fitness trackers vulnerable to monitoring
February 2, 2016
Toronto, ON – Today, researchers announce the release of a new report describing major security and privacy issues in several leading wearable fitness tracking devices and accompanying mobile applications. The research examined offerings by Apple, Basis, Fitbit, Garmin, Jawbone, Mio, Withings, and Xiaomi.
The report, Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security, finds that all studied fitness wearables except for the Apple Watch wirelessly emit a persistent unique identifier over Bluetooth. This leakage lets third parties, such as shopping centres or others interested in location-based monitoring, collect and map out people’s movements over time. The research also found that two tracking applications exhibit vulnerabilities enabling third parties to access user data, while two other applications are susceptible to users falsifying their own activity levels.
The research involved analyzing data transmissions between fitness tracker mobile phone applications and the Internet, reverse engineering mobile applications, and examining Bluetooth metadata transmissions.
The report is a collaborative effort between Open Effect, a non-profit applied research group focusing on digital privacy and security, and the Citizen Lab at the Munk School of Global Affairs, University of Toronto. Open Effect has previously published research on the security of ad tracking cookies, and developed Access My Info, an application that makes it easy for Canadians to file legal requests for access to their personal information.
“Most devices we studied do not implement Bluetooth privacy and this leaves users vulnerable to location-based surveillance. We hope our findings will help consumers make more informed decisions about how they use fitness trackers, help companies improve the privacy and security of their offerings, and help regulators understand the current landscape of wearable products.”
—Andrew Hilts, Executive Director, Open Effect and Research Fellow, The Citizen Lab, Munk School of Global Affairs, and the University of Toronto
The researchers sought contact with the seven fitness tracker companies whose products exhibited security vulnerabilities; Apple was not contacted because researchers found no technical vulnerabilities in the Apple Watch using their methodology. Fitbit, Intel (Basis), and Mio responded and engaged the researchers in a dialogue. Fitbit further expressed interest in exploring the topic of implementing Bluetooth privacy features in its communications with the researchers.
“Wearable devices are marketed on their ability to improve fitness by collecting and transmitting health-related data. It is imperative that consumers understand the efforts companies have undertaken to be careful stewards of this data so they can choose products that enable healthier lifestyles without endangering persons’ privacy.”
—Dr. Christopher Parsons, Postdoctoral Fellow at the Citizen Lab, Munk School of Global Affairs, and the University of Toronto
As a result of this research, consumers concerned about their locational privacy are advised to only wear their fitness device while connected to their mobile device. Moreover, findings cast doubt on the reliability of data for insurance or evidentiary purposes. Finally, certain applications by Garmin and Withings can expose fitness as well as biographical material (e.g. name, age, and gender) to third parties by transmitting information without encryption; users should evaluate whether they are comfortable with such practices that could expose their personal information to unauthorized parties.
Concerned users can contact companies themselves for further details on their progress in resolving these security vulnerabilities:
- Basis: firstname.lastname@example.org
- Fitbit: email@example.com
- Garmin: firstname.lastname@example.org
- Jawbone: email@example.com
- Mio: firstname.lastname@example.org
- Withings: email@example.com
- Xiaomi: firstname.lastname@example.org
Read the full report: https://openeffect.ca/reports/Every_Step_You_Fake.pdf
For media inquiries, contact:
Public Affairs & Engagement
Munk School of Global Affairs
Guide on Citing In Media
Title: Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security
Published By: Open Effect and Citizen Lab at the Munk School of Global Affairs, University of Toronto
Authors: Andrew Hilts, Christopher Parsons, Jeffrey Knockel.
Funded By: Office of the Privacy Commissioner of Canada’s Contributions Program
Publication Date: 2 February 2016
Report URL: https://openeffect.ca/fitness-tracker-privacy-and-security