Serious Security Flaws Found in Fitness Trackers

They may look like a normal watch but are capable to do much more than just showing the time. It seemed as if so called fitness trackers are collecting data on their users‘ lifestyle and health status helping them with training or losing weight.

But Researchers from the Technische Universität Darmstadt and the University of Padua looked at 17 models of fitness tracker currently on the market and found serious security flaws.

While almost all cloud-based tracking systems use an encrypted protocol like HTTPS to transfer their data, the researchers were able to falsify data in almost all cases. In one example, they successfully persuaded the tracker to tell its server that the user had walked 80 million steps in a day.

nearly 20 million fitness trackers have been sold in the first quarter of 2016. Many of them track via GPS the kilometers the user run, measure heart rate and pulse or check if the user is asleep. “These data are not only used for the original purpose but are increasingly being used by third parties”, explains Ahmad-Reza Sadeghi, system security professor.

Data collected by fitness trackers have been used as evidence in court trials in the US, as reported by Forbes in 2014. Police and attorneys have started to recognize wearable devices as the human body’s “black box”, the NY Daily News eported in April 2016. Some health insurance companies recently started to offer discounts if the insured persons provide personal data from their fitness trackers.

This could attract scammers who manipulate the tracked data to fraudulently gain financial benefits or even influence a court trial, says Sadeghi. This makes it all the more important that transmission, processing and storing of the sensitive personal data meet high security standards.

The university’s website reports that the study, concentrated on manipulating the data on their way to the cloud server and examined the security of communication protocols.

Only devices from four manufacturers took some minor measures to protect data integrity, i.e. to ensure that data remain intact and unaltered. “These hurdles cannot stop a motivated attacker. Scammers can manipulate the data even with very little IT knowledge”, Sadeghi warns, as none of the trackers employ End-to-End encryption or other effective tamper protection measures when synchronizing data.

Five of the examined fitness trackers did not provide a possibility to synchronize fitness data with an online service. However, these manufacturers store the collected fitness data in plain-text, i.e. un-encrypted and readable by everyone, on the smartphone which introduces a potential risk of unauthorized data leakage should the smartphone be stolen or infected with malware.

The researchers also found that several manufacturers store their fitness data in plain text. That introduces a risk of the data being accessed by others if a device is stolen or infected with malware.

“Health insurers and all other companies who want to use fitness trackers for their services should seek advice from security experts before doing so, ” said Sadeghi, adding that the technology to prevent this from happening exists, but “it’s just that the manufacturers have to put some more effort in employing these technologies in their products”.

Some health insurance companies recently started to offer discounts if the insured persons provide personal data from their fitness trackers. This could attract scammers who manipulate the tracked data to fraudulently gain financial benefits or even influence a court trial, says Sadeghi. This makes it all the more important that transmission, processing and storing of the sensitive personal data meet high security standards.