Over the weekend I went to my local Best Buy to get an accessory strap for my new Pebble. Not only was it hard to find the band, it proved quite the challenge to find anything related to Pebble in the sprawling wearable tech section of the store.
In this particular location smartwatches (and their accessories) were vastly outnumbered by specialized fitness trackers. Some of the brands I immediately recognized—Fitbit, Garmin, Jawbone—and others not so much (Withings?)… But what nobody’s telling you about any of these products are the security issues inherent in pretty much all of them, along with the growing and questionable use cases for the technology. That is, until now.
Toronto’s Citizen Lab published a report this month on the security vulnerabilities of fitness trackers. Their key findings:
- Seven out of eight fitness tracking devices emit persistent unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device
- Jawbone and Withings applications can be exploited to create fake fitness band records. Such fake records call into question the reliability of that fitness tracker data use in court cases and insurance programs.
- The Garmin Connect applications (iPhone and Android) and Withings Health Mate (Android) application have security vulnerabilities that enable an unauthorized third-party to read, write, and delete user data
- Garmin Connect does not employ basic data transmission security practices for its iOS or Android applications and consequently exposes fitness information to surveillance or tampering
Court cases and insurance programs? That’s right. At least one insurance company here in Canada is already offering discounts on life insurance if the policy holder hands over data from their fitness tracker. As for court cases, those may well involve a growing trend among large companies to hand out fitness trackers to employees. Ostensibly for wellness, they could also be used to track coffee and smoke breaks (for example)—although I suppose it’s no less Orwellian than using a company BlackBerry.
Point is, the data on that fitness tracker had better be secure. And in many cases it’s not.