Fitbit, Other Fitness Trackers Leak Personal Data: Study - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

01:06 PM
Eric Zeman
Eric Zeman

Fitbit, Other Fitness Trackers Leak Personal Data: Study

Odds are pretty high that your wearable is spilling personal data all over the place, says a new study. But the Apple Watch may be the exception.

10 iPhone Healthcare, Fitness Apps That Actually Work
10 iPhone Healthcare, Fitness Apps That Actually Work
(Click image for larger view and slideshow.)

Fitness trackers are not secure at all, claim researchers in a new study. Of eight devices tested, only one offers owners a modicum of protection. Wearables were found to share location data and leave personal fitness data open to pilfering from ne'er-do-wells. The study shines light on a new security angle to consider when strapping on wearables.

Compiled by Citizen Lab and the Munk School of Global Affairs, the study, titled "Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security," was published by Canadian nonprofit Open Effect. It looked at several popular wearables, including the Apple Watch, the Basis Peak, the Fitbit Charge HR, Garmin's Vivosmart, the Jawbone Up 2, the Mio Fuse, the Withings Pulse O2, and the Xiaomi Mi Band. The researchers targeted the devices' Bluetooth radios to see what they could discover.

The authors wrote:

In the course of our technical investigations into transmission security, data integrity, and Bluetooth privacy, we discovered several issues that confirm concerns about the potential uses of fitness tracking data beyond the typical case of a user monitoring their own personal wellness.

(Image: baona/

(Image: baona/

Seven of the eight wearables revealed unique Bluetooth identifiers -- their MAC address -- which allowed them to be tracked by nearby Bluetooth beacons. Beacons are used more and more in stores and malls to profile shoppers and push tailored offers. Only the Apple Watch took advantage of Bluetooth LE's ability to generate random MAC addresses to thwart potential location tracking.

While the devices themselves gave up their owners' whereabouts, the accompanying apps leaked a greater amount of personal information. For example, apps spilled login credentials and failed to protect against interception and tampering when they were transmitting data between smartphone, wearable, and the wearable company's own servers. The researchers were able to use a man-in-the-middle attack to pilfer data sent to/from the companion app's servers. This could allow others to push false data into the wearable or the phone, they said.

Garmin's app, for example, relies on HTTPS at signup and login, but all other is data wide open. Users of the Jawbone and Withings apps can easily forge fitness data. That ability could lead to people hiding medical problems and injuries or misrepresenting their health to third-party observers (think insurance companies).

[Read Mobile, IoT Sales Hampered by Security Fears: Accenture.]

"The fitness data generated by several wearable devices can be falsified by motivated parties, calling into question the degree to which this data should be relied upon for insurance or legal purposes," noted the study.

Again, Apple's wearable app offered more protection than its counterparts. It's worth pointing out that the Apple Watch is the only true smartwatch among the eight devices tested. The rest are far simpler activity trackers that don't offer the third-party app compatibility the Apple Watch does. The researchers didn't include Android Wear. Smartwatches are slowly overtaking fitness trackers as the wearables of choice for many consumers.

The authors have yet to compile conclusions or recommendations, but the need to improve wearable security is fairly obvious. Makers of fitness trackers should be called on to do more to protect owners' data, both by securing the Bluetooth connections and by taking steps to shore up their companion apps.

Does your company offer the most rewarding place to work in IT? Do you know of an organization that stands out from the pack when it comes to how IT workers are treated? Make your voice heard. Submit your entry now for InformationWeek's People's Choice Award. Full details and a submission form can be found here.

Eric is a freelance writer for InformationWeek specializing in mobile technologies. View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/4/2016 | 9:25:32 AM
Re: This first hit in October
Yeah, sadly many of these devices lack basic security controls, and even back last March, Kaspersky Labs also found lots of vulnerabilities.

In fact, WISekey and Kaspersky partnered to help create security for wearable tech. Both announced that they are developing technology that will deeply integrate authentication and data encryption into new wearable devices, enabling them to safely connect, communicate and exchange financial data.

Hopefully this will help create a more secure future for wearables!


User Rank: Author
2/3/2016 | 1:30:33 PM
This first hit in October
Fortinet found it then, and Fitbit had a hissyfit. was what I wrote on it
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll