Fitness Trackers: Is Your Personal Health Data Safe?
Millions of people use fitness trackers daily, but where does all of the collected data go?
In this age of wellness culture, fitness trackers are becoming increasingly popular, with users attracted by the marrying of data with their everyday activities. Research from IDC found that the sale of fitness trackers exceeded 75 million in 2015, with the 2016 number expected to exceed 100 million.
Part of the reason for these trackers’ widespread popularity is that it’s not just fitness enthusiasts who are encouraging the use of these devices. Public health officials and insurance companies advocate the use of fitness trackers as they tend to improve people’s health in the long run, lowering health costs. However, in the excitement of using tech to improve people’s healthy habits, there is a significant risk of placing people’s digital lives and data in a vulnerable position.
You Have Been Located
It’s a problem similar to that seen with other kinds of location-based data sets, as well as the internet of things. With so much about our habits and movements being tracked passively, how do we know if our data is being kept safe and not being used without our consent, and how can we trust that manufacturers are doing everything they can to protect our data from hackers?
A recent report from AV Test, the Independent IT Security Institute had some troubling findings about what some of the leading fitness tracker brands were doing with customer data. Overall, the report found that “some manufacturers are continuing to make disappointing errors” when it comes to data security in this space. The report set out to answer the following two questions about 7 different health trackers that run on Android as well as the Apple watch: “From the perspective of the private user, is the data recorded in the tracker or app secure against spying or hacking by third parties?”, and “From the perspective of health insurers or other companies, is the data in the tracker or app secure against tampering?”
Here’s a look at how the various brands fared:
The Losers
Disconcertingly, there are many risky trackers included in the analysis. The Runtastic, Striiv, and Xiamoi were said to not only be easily trackable, but also that they “use inconsistent or no authentication or tamper protection, the code of the apps is not sufficiently obfuscated and data traffic can be manipulated and monitored with root certificates.” In one case, the fitness wristband from Mobile Action offered opportunities for user data to be modified via the back end of the software—a major security hole.
The Winners
The report found that trackers from Pebble Time, Basis Peak and Microsoft Band 2 offered the most security out of the market offerings. Though they were not 100% secure, the opportunities they offer for hackers or bad actors to infiltrate data were minimal.
The Outlier
While it had to be measured in a different way from the Android apps due to test methods that could not be applied to iOS, the Apple Watch warranted its own analysis in the report and was found to have a high security rating. While it was not entirely without some theoretical vulnerabilities the researchers found that “the time and effort required for attackers to gain access to the watch would be extremely high.”
As wearable tech increasingly becomes a part of our daily lives, it’s essential that users are more proactive in educating themselves about the data that’s being collected about their movements. As these results show, not all manufacturers and developers are treating the issue of security equally. It’s easy to assume that because a product is operational and useful at the user end, the back end is all secure. But that is an assumption that is increasingly risky to make.