Fitness trackers: Security flaws across the board
Fitness trackers are increasingly popular. In the first quarter of 2016 alone, almost 20 million units have been sold worldwide. By GPS, these devices measure the distances walked by their users, they measure heart rates and notice if the wearer sleeps. But these data are not used solely to the purpose of determining the user’s personal health status; instead, they increasingly are used by third parties for other purposes, notes Ahmad-Reza Sadeghi, professor for system security at the University of Darmstadt’s Cyber Security (CYSEC) department.
In the United States, for instance, data from fitness trackers are already admitted as evidence in lawsuits. They are regarded as a kind of “black box” of the human body, wrote newspaper NY Daily News recently. What’s more, several health insurers offer discounts if the customer allows them to process their data. This openness in handling the data is frequently attracting fraudsters who manipulate the data to gain unfair benefits or even manipulate lawsuits, Sadeghi says. For these reasons, it is essential that ways transfer, processing and storage of these sensitive private data meets high security standards.
In order to investigate the security level of these trackers, Professor Sadeghi and his team performed a study along with the University of Parma (Italy). They scrutinized 17 fitness tracker models from market leading vendors such as Xiaomi, Garmin or Jawbone as well as from less well known brands. The tests focused on manipulating the data sent from the tracker to a cloud server by means of a man-in-the-middle attack.
The result was less than satisfying: Though all cloud-based tracking systems encrypted their data transfers through the HTTPS protocol. Nevertheless the researchers in all cases succeeded in intercepting and manipulating the data. Most of the trackers in the test had no protection mechanisms in place; just four vendors used minor measures to protect data integrity. “These hurdles cannot stop a determined attacker. Even with little expertise, a betrayer could be able to distort the data”, Sadeghi warns. Neither end-to-end encryption nor another protection were in place during the data transfer.
Five of the devices under test did not synchronize their fitness data with an online service. However, their manufacturers store the data in question in plain language on the user’s smartphone. If such a phone gets stolen or infected with a malicious software, the date can be passed on or changed without authorization. “All insurers and other service providers that intend to employ fitness trackers for their business, should discuss security measures beforehand with experts”, Sadeghi says. The good news: The flaws the study identified can be fixed with known standard technologies. “The vendors should however bother to integrate these technologies into their products”.