Fitness tracker flaws exposed by U of T's Citizen Lab and Open Effect
Research backed by Office of the Privacy Commissioner of Canada’s Contributions Program
Barb Gormley didn’t know that strangers could track her fitness tracker. Or that anyone could rip off personal data leaking from the device.
The personal trainer and her clients use the exercise-boosting devices to record steps taken, calories burned and other data about their progress when working out.
“People are hooked on them,” she said. “I feel like I have a training assistant.”
But the machines also leak personal information – such as name, age and gender – communicated via wifi.
Researchers at the University of Toronto released a new report on Feb. 2 that revealed major security and privacy issues in devices made by Basis, Fitbit, Garmin, Jawbone, Mio, Withings and Xiaomi. The research involved analyzing data transmissions between the Internet and apps for the fitness trackers. The story is already making headlines. (Read the CBC coverage.)
The report, Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security, shows that Bluetooth on seven fitness trackers studied leak personal data that enable anyone near a device to track a user’s location over time. Researchers also found that certain devices by Garmin and Withings transmit information without encryption, leaking other personal data to anyone with the know-how to collect the leaks.
The researchers also analyzed the Apple Watch and found no issues.
The report is a collaborative effort between Open Effect, a non-profit applied research group focusing on digital privacy and security, and the Citizen Lab at the Munk School of Global Affairs at U of T. Open Effect previously published research on the security of ad tracking cookies. It also developed Access My Info, an application that makes it easy for Canadians to file legal requests for access to their personal information.
“I hadn’t thought about the issues too much,” said Gormley, “that somebody could find me using my watch.”
“The upside is they’re so great,” she said. She uses a Garmin device. “I guess we’re maybe a bit blind that there could be a downside.”
The downside, said Andrew Hilts, one of the report’s authors, stems from the fact that each device has a unique identifier emitted constantly via Bluetooth, even after users think they’ve stopped using it.
Hilts, the executive director of Open Effect and a research fellow with the Citizen Lab at the Munk School, said that means anyone – from savvy analytics firms or just someone in a coffee shop – could collect that unique identifier and, in some cases, collect your location and a whole lot more.
“The perception might be, ‘Okay, I’m done with this. I’m turning off Bluetooth,’ but your tracker is still emitting this unique identifier, even if your phone has Bluetooth turned off,” Hilts explained.
“There is a Bluetooth privacy standard in place that provides specifications on how device manufacturers can protect the privacy of their users,” Hilts said. “We’re trying to encourage fitness tracking companies to adopt this standard.” Most devices mentioned in the report do not implement Bluetooth privacy, leaving users vulnerable to location-based surveillance.
“We hope our findings will help consumers make more informed decisions about how they use fitness trackers, help companies improve the privacy and security of their offerings, and help regulators understand the current landscape of wearable products.”
Their findings come on the heels of a report by Professor Guy Faulkner and master's student Krystn Orr of U of T's Faculty of Kinesiology & Physical Education that examined the reliability of smartphone pedometer applications.
Released at the end of 2015, that research found an “unacceptable error percentage” in all apps compared with actual pedometers and urged “caution in their promotion to the public for self-monitoring physical activity and in their use as tools for assessing physical activity in research trials”.
The Citizen Lab and Open Effect researchers sought contact with the seven fitness tracker companies whose products exhibited security vulnerabilities. Fitbit, Intel (Basis), and Mio responded and engaged the researchers in a dialogue. Fitbit further expressed interest in exploring the topic of implementing Bluetooth privacy features in its communications with the researchers. Out of the devices studied, only the Apple Watch adopted the Bluetooth privacy standard.
The report’s authors, Hilts, Christopher Parsons and Jeffrey Knockel, reveal a third issue that arose in the Withings and Jawbone devices: users can falsify their own activity levels. The findings cast doubt on the reliability of data for insurance or other purposes.
“Maybe I’m naïve,” Gormley said. “Maybe an insurance company is conducting top-secret research on me and decide they don’t want to give me insurance?”
“Should I be worried?”