Advances in technology have led to the development of devices that track a plethora of personal information, which makes them highly useful, and also highly vulnerable to cyber criminals.
In 2014, one in five adults owned some kind of wearable technology — a fitness band, smartwatch, smart glasses, or clothing. According to PriceWaterhouseCoopers, that percentage is expected to double by 2016. The global market analysis company CCS Insight forecast that 254 million units would be shipped globally by 2019 at a value of $25 billion. Other projections go as high as $100 billion by 2018.
As smart technology becomes increasingly ubiquitous, the security of these devices (or lack thereof) becomes more urgent, and users should purchase carefully and take precautions to keep their personal information secure.
According to the World Wide Web Consortium (W3C), “When a password is transmitted in clear text, it is vulnerable in many ways.” One way is the password can be intercepted by “packet sniffers” or network analyzers as it is transmitted. “There are no scenarios where it is possible to transmit passwords in the clear without risk,” W3C said. W3C is an international community working to develop web standards. It is led by Tim Berners-Lee, the inventor of the World Wide Web.
Typically, when data is transmitted from your fitness tracker, it syncs with your smartphone. Most apps can also be downloaded on your PC or laptop, where you may have a more robust dashboard and options for interacting with your data. This data is then stored on the company’s or third-party servers. All of these interfaces and storage locations are potential security risks.
The FBI recently released a Public Service Announcement warning consumers that the “Internet of Things poses opportunities for cybercrime.” The Internet of Things is any object or device that connects to the Internet automatically to send and receive data, and includes wearables such as fitness trackers.
Why would anyone want this information?
You may wonder why anyone would want to know how many steps you walked or the intensity of your workout. But that’s not the only information that’s available. If you have a GPS on your device, someone who has hacked into your account may be able to tell where you live, when you’re home — and when you’re not— when you’re asleep, where you shop and bank, and otherwise where you are at any given time, which could be a personal safety issue.
If you participate in social platforms associated with some of the device apps and don’t restrict access to friends or people you know, your information could be an open book, and some of this information can be very personal. It’s the same as not posting on Facebook when you’ve gone on vacation or other personal information for the world to see.
Another potential threat is unsecured devices — your phone and your tablet in addition to your fitness tracker — could provide “back door” access to critical personal and financial information stored on your PC or laptop.
What you can do
Because of these many vulnerabilities, UL (formerly Underwriters Laboratories) plans to begin certifying wearables for safety and security in early 2016. But if you’re looking to buy a device now, what can you do in the meantime to minimize exposure to potential cyber crooks?
It’s not just about your wearable. You need to secure the devices it interacts with — your phone and tablet. Everyone knows that you need security on your computer, but tablets and phones are also vulnerable to hacking. Fortunately, there are good free or low-cost anti-virus and anti-spyware apps. Lookout and Avast! (for Android) are two good options.
Regularly back up your devices so you don’t lose all your information in the event your phone or tablet is stolen or hijacked (yes, this is a thing). In the event you lose your phone, make sure you have a “find my phone” feature installed. It’s also a good idea to install a feature that allows you to lock or wipe the device if you can’t get it back. If you regularly work on public Wi-Fi, get a dedicated app (HotSpot Shield VPN or Avast Secureline VPN for Android) to protect your information.
Finally, make sure you stay current with software updates provided by the manufacturer for your device. Just like your computer software, manufacturers are continually working to update and improve your device functionality, including security.
Do your research
Withings had by far the most robust security policy of those reviewed.
“At Withings, we use various methods to safeguard your data. How do we protect your data? First, you need to have a password-protected account to access your data. To strengthen this security, we have developed a feature that allows you to have an additional level of safety: in our mobile application you can define a second password or, when it is possible [available for iOS but not Android], you can choose to use your fingerprint (stored only on your phone — we do not have access to it).”
In addition, Withings goes to great lengths to protect your stored data: “Your data are mainly stored on servers located in France Where are your personal data kept? equipped with the latest security equipment and advanced security techniques and procedures. Access is strictly restricted and various security controls, consisting of security staff, security doors and biometric readers, must be passed. Remote access to the servers is highly restricted and controlled.”
Garmin has some security measures in place, but does not address where data is stored or how secure it is.
“Garmin takes reasonable security measures to help protect against loss, misuse, unauthorized access, and unauthorized disclosure or alteration of the Personal Information under its control. On some of our sites you can create an account to participate or secure additional benefits. The transmission of information you provide to Garmin during the registration processes is encrypted using secure socket layer technology (SSL). If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem.”
Although information in Mio’s (Physical Enterprises, Inc.’s) Privacy Statement indicates that passwords are used, it doesn’t directly addresses security except to say: “We engage certain trusted third parties to perform functions and provide services to us, including, without limitation, hosting and maintenance, customer relationship, database storage and management, and direct marketing campaigns. We will share your personally identifiable information with these third parties, but only to the extent necessary to perform these functions and provide such services, and only pursuant to binding contractual obligations requiring such third parties to maintain the privacy and security of your data.
These folks take a “You’re on your own” approach.
“We apply organizational and technical measures to ensure access to your information is limited to persons with a need to know. Even though we have taken steps to protect your personal information, you should know that neither we nor any company can fully eliminate security risks.”
The Fitbit website provided minimal information about security, simply stating: “Fitbit uses a combination of technical and administrative security controls to maintain the security of your data. If you have a security-related concern, please contact Customer Support.”
One of the few side-by-side fitness tracker tests we found was conducted in Germany and only on Android platforms. Of the Fitbit Charge it states: “Any smartphone with Bluetooth is welcome to the fitness tracker. It does not prompt for a PIN or other authentication — it simply connects and voluntarily hands over all its data. The data is not even encrypted or protected in other ways.”
We reached out to Fitbit about this. They responded in part: “ . . . we are committed to protecting consumer privacy and keeping their data safe. The security of our users’ data is a top priority and we take it very seriously. Our devices contain multiple controls designed to ensure user privacy. We have developed fixes for this issue and are integrating them into our current products as part of regularly scheduled firmware releases. We implemented the fixes for Fitbit Charge earlier this fall. We also are putting measures in place to prevent this issue in future products.
“It’s important to note that we are not aware of any security incidents related to this issue and will continue to monitor it carefully. Our current assessment is that consumers are very unlikely to be affected by this issue because an unauthorized third party must be in extremely close physical proximity (i.e., within Bluetooth Low Energy range, which for Fitbit trackers is approximately 30 feet) to access a user’s data while it’s being transmitted to the Fitbit mobile app. Furthermore, an unauthorized third party would not be able to manipulate the fitness tracker or the data in a user’s account in any way.”
Fitness trackers are useful tools for those who are trying to monitor and make improvements to their health. Undoubtedly, as they become more widely used and consumer demands for greater security are heard, improvements will be made. Until then, do your homework before purchasing a fitness tracker, and once you have, be smart about how you use it and the security of the devices it syncs to.
January 07, 2016