People around the world are increasingly using electronic devices that capture and record a person’s fitness levels. However, a new study shows that most of these fitness trackers are vulnerable to hackers and can leave consumers’ privacy at risk.
There are different ways through which a person’s privacy can be at risk while using such devices.
Modern electronic fitness trackers send out fitness information to a person’s mobile and, frequently, to the companies websites who make these devices. The security risk comes from both of these modes of sending out your personal information.
Most of the models studied did not encrypt the data before sending it out on the internet. This means that your personal information is up for grab by any party interested in getting a hold of your personal information.
And what information could that be? Well modern fitness wearables collect a wide range of data. The number of floors, or altitudinal changes, a person climbs a day is measured, levels and deepness of sleep, and heart rate activity are all captured by best-of-class consumer-level fitness trackers.
Even if encrypted data is sent to the companies websites, it a matter of question how ready these companies are to protect the privacy of your data from hackers or even other legal agencies such as your insurance company for example.
Almost all the big companies you may know have had their systems hacked at least once. You could never be 100% sure that your data is totally protected. Once the data is out on the internet, it’s susceptible to hacking at any time.
And if you want to talk legal then there have been instances where a person’s private fitness data has been used in the court of law. You better keep that in mind.
Secondly, let’s discuss how the fitness tracker sending the data to our mobile for display can be a security risk? \
Fitness trackers use Bluetooth to establish connection with mobile sets. In order to do that, the fitness trackers make themselves discoverable over Bluetooth to let your mobile know that it’s available to exchange data.
Now, the “discoverable” part is the most dangerous one since it’s a public broadcast message letting everyone in the Bluetooth range know that it’s available.
Technically, the device advertises its Media Access Controller (MAC) address to the public. This MAC address is unique to every device. Any interested party looking to track you can easily pick this address using a scanner and then use it to track you.
Your phone instantly connects with your fitness devices when it advertises its presence, and there there are no further advertising of the MAC Address. However, there could be times when your phone would be off or you might have turned off Bluetooth on your device to save battery, in that case your fitness device is constantly advertising, leaving you an easy target to be tracked.
Since most of the fitness tracking devices do not change their MAC address, your movement can be tracked by placing scanners at various locations.
Seven out of eight fitness tracking devices studied had fixed MAC addresses assigned to them. Only Apple Watch was the one that could change its MAC Address.