A few of the widely used fitness trackers, except the Apple Watch, don’t just let you keep track of your heart rates, movements and stepping patterns, but let other people track you and manipulate your data as well, says a study.
A study published on Tuesday, titled “Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security,” claims that a number of trackers expose users to cybercriminals regardless of whether these devices are not being used by the wearers and mobile apps are disabled.
Cybersecurity researchers from Canadian non-profit Open Effect, in collaboration with the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, have evaluated eight renowned fitness trackers, which range from Garmin Vivosmart, Basis Peak, Jawbone Up2, Fitbit Charge HR, Mio Fuse, Xiaomi Mi Band, Withings Pulse O2 and Apple Watch.
The study notes that all of these devices, with the exception of the Apple’s smart timepiece, make it possible for hackers to trace the owners by means of Bluetooth, even when they are not paired with a smartphone. It explains that each of these wearables makes use of a Bluetooth technology emitting a signal plus a unique identifier that can be tracked. The researchers conclude that this can leave users subjected to long-term tracking of their location.
"We found cases where your data is being sent and you might not be aware, and there's no apparent reason why it's being sent," says Andrew Hilts, Open Effect's executive director. He is convinced that "eavesdroppers" could very easily look at the wearer's data.
The key reason why Apple Watch has been deemed highly secure from the vulnerability is because it is the only model that employs the Bluetooth LE standard that randomizes a user’s Bluetooth ID, hence making the device extremely hard to track.
The researchers also discovered that Garmin’s app, named Connect, transmits health data over the Web with no encryption. On top of that, other analyzed devices also come with security flaws that could enable a hacker to tamper with their data to log phony workout results.
Meanwhile, a report from Engadget says that while there exist some risks, the possibility of somebody targeting your tracker is “fairly slim.”
“A hacker is more likely to want your banking info or phone location than your step count or heart rate,” points out the report.