Some fitness trackers vulnerable to monitoring, U of T study finds

Some of the top-selling brands of fitness trackers that monitor wearers' heart rates, sleeping patterns and movement are putting user data and privacy at risk, according to a new report.

Researcher alters data, fakes 800 km walk

9 years ago

Duration 0:54

Citizen Lab researcher Andrew Hilts shows Dave Seglins how he can hack into his Jawbone fitness tracker data to fake his workout

Cybersecurity researchers at the University of Toronto examined eight popular wrist-worn trackers. They tested how they communicate with mobile appsand even upload and store a user's workout information on manufacturers' computer servers.

• Wearable technology: Canada emerging as a global leader
• Retailers use smartphones to track your habits in the store
• Do fitness trackers really change our behaviour?

The researchers conclude thatseveral models expose users to potential internetsnoops and hackers even when devices aren't being used for exercise and mobile apps are turned off.

"Fitness trackers are a fairly new technology and we don't have many regulations right now," said lead researcher Andrew Hilts, whois executive director of Open Effect and a research fellow at Citizen Lab at the U of T's Munk School of Global Affairs.

"We found cases where your data is being sent and you might not be aware, and there's no apparent reason why it's being sent," Hilts told CBC News.

The study examined popular models made by Garmin, Fitbit, Jawbone, Mio, Withings, Xiaomi, Basis and Apple.

Location tracking

Each of the devices uses Bluetooth technology that emits a signal and a unique ID that can be detected even when the tracker is not paired with a mobile phone.

This "can leave their wearers exposed to long -term tracking of their location," concludes the Open Effect / Citizen Lab research report released Tuesday.

To demonstrate, Hilts accompanied CBC News to Yorkdale Shopping Centrein suburban Toronto. He used his own mobile phone to scan for Bluetooth signals. He detected many devices, including a Garmin Vivoactive Smartwatch worn by squash enthusiast Mike Maiola.

"That can be a bit invasive," Maiola said with some surprise when CBC News showed him thathis wristwatch fitness tracker could be detected even when he wasn't using it for a workout.

The researchers warn this exposes users to having their devices tracked and logged each time they enter a mall or another environment using sophisticated retail data scanning technology.

"I got it for fitness tracking, for golf and a whole host of things. And I wear it every day it never comes off my wrist,really," says Maiola .

But now he's reconsidering.

This information "might change how I actually use the device and whether or not I have the Bluetooth functionality on."

The Apple Watch received highmarks in the study for data security because it is the only model that randomizes a user's Bluetooth ID, making it impossible to track over the long term.

Bogus workout results

The Citizen Lab researchers conclude the Garmin app,called Connect,sends heart rate, workout andmovement data across the internet without encryption.

"Eavesdroppers could easily look at their data," Hilts cautions.

In addition, Hilts says other devices have vulnerabilities that could allow a user with a bit of technical know-how to tamper with their fitness information to log bogus workout results.

This is concerning, says Hilts, because fitness tracker data is increasingly being relied on as evidence in court, or as a basis for rewards or discounts tied tocorporate wellness programs andhealth insurance policies.

"Potentially people could meddle with their data and say they are doing fitness events, fitness activities, even when they weren't," Hilts said.

Sitting at hiscomputer, Hilts demonstrated for CBC Newshow he was able to send false "walking data" to his Jawbone UP 2 account to make it appear he walked one million steps on a recent Saturday. That'sroughly 800 km, the distance from Toronto to Quebec City.

Privacy study prompts re-think of tracker use

9 years ago

Duration 0:47

Squash player rethinks how he uses his fitness tracker after learning about possible privacy concerns.

"I could definitely fake my workout to astronomical levels," Hilts said.

"Let's say the person's insurance premiums are related to the amount of activity they report on their fitness tracker.All it takes is a few bad apples to exploit their device and inflate their step counts."

The manufacturer, Jawbone, told CBC News it is investigating the claims made in the research report and declined to answer questions.

Garmin, the maker of the device that transmits basic fitness data without encryption, declined requests for comment.

Other manufacturers issued statements (Mio,Fitbit, Withings) expressing commitments to privacy, stressing data transmitted from apps does not disclose a user's name. They insist that usingBluetooth LE (Low Energy) is industry-standard and power-efficient despite potential privacy exposures.

Withings, maker of the Pulse O2 tracker, stated the company "does not believe any customer is at risk of having their location tracked over the long term."

However, Withings shut down theShare Dashboardsocial-media function on its Health Mate app for Android users after CBC News contacted the company about the findings.

"An updated version of the Android app will be available in the coming week and will feature enhanced encryption," said company spokesman Ian Twinn in an email.

Details of the 8 devices studied in theOpen Effect / Citizen Lab research report

• Connected devices quietly mine our data, privacy experts say