Fitness trackers such as Fitbit and NikeFuel are in the category of smart devices that may not be as smart as people would like to think, and more vulnerable to hacking than most people want to know. Quantified self, life logging, self-tracking: millions of people around the world are increasingly recording every aspect of their lives. However, the privacy and security of the personal data these devices and applications are tracking is questionable to experts in the field such as those gathered at the Black Hat USA technology show in Mandalay Bay this week.
Most people are aware that computers can be hacked, but few may realize how susceptible their other smart devices are. For example, wearable fitness trackers are vulnerable to location tracking through wireless protocol transmissions. Even though most are not designed to track location, the data they collect is usually synced to another device or a computer for easier viewing, many using wireless Bluetooth technology.
Symantic ran a test of how easily these devices can be tracked by building some portable scanners for a cost of about $75 each that could easily be assembled by “anybody with basic IT skills.” In the test they made no attempt to connect to the devices, but simply scanned for the signals they were broadcasting. They found that all the devices could easily be tracked using the unique hardware address they emitted.
The problem with this scenario, according to Symantic, is that stalkers or burglars could potentially use this tracking information for malicious purposes, for instance, using it to tell when a person is not home so they can rob the house. Other smart devices, such as the Nest home thermostat, can be used the same way. This device uses sensors to determine when someone is home and adjust the temperature in the house accordingly. If hacked, it can tell the intruder whether the homeowner is there or not.
The fitness tracker issue goes beyond figuring out whether someone is home. Many of these devices sync to cloud server databases that collect not just exercise and activity information, but personal data such as birthdate, address, photos and other statistics. All require user names and passwords, but, according to Symantic, the problem is that most do not handle those user names and passwords securely, with at least 20 percent transmitting that user-generated data through unsecured Internet channels without encrypting it.
This is worrisome since many people use the same login credentials, such as passwords and user names, at multiple sites. Login details taken from, for instance, the fitness trackers, may be used in other locations, such as email, that have now become vulnerable due to using the same access codes. In addition, 52 percent of the apps examined by Symantic did not have privacy policies, which Symantic says is an indication of how seriously they treat security.
Orla Cox is Symantec’s director of security response, and she does not wear a fitness device. She said she has not worn one since they did the study, because these quantified self apps make theft very easy. Tracking of customer locations via smart phone shopping apps has been in the news recently, but part of the reason fitness trackers are particularly vulnerable is that they are designed without an off switch.
By Beth A. Balen
See also Guardian Liberty Voice Mobile Shopping: Customers Say ‘Do Not Track Me!’