Fitness trackers are one of the most sought after consumer tech devices on the market, driven by our desire to track everything from our calories burned and steps taken, to our sleep patterns.
But, according to a new study, some of the top-selling fitness tracker models are putting user data and privacy at risk.
Researchers at Open Effect – a research partner of Citizen Lab at the University of Toronto’s Munk School of Global Affairs – examined eight popular fitness trackers made by companies like Apple, FitBit, Garmin, Jawbone, Mio and Withings and studied how the devices communicate with smartphone apps and how workout information was stored.
Seven of the eight devices were found to give off unique identifiers called BlueTooth Media Access Control (MAC) addresses that show the user’s location data when the device isn’t connected to a smartphone.
Apple Watch was the only device that didn’t reveal this identifier.
“Our findings directly relate to the case of shopping centres that scan for Bluetooth devices to monitor customer journeys as they move from store to store. As an example, a mall visitor wearing a Fitbit Charge HR might have turned off their phone’s Bluetooth radio to save power, or forgotten their phone at home or in the car,” read the report.
“In either case, the Fitbit device would emit advertising packets detectable by the shopping centre’s scanning. Since the Fitbit does not change its MAC address the shopping centre can monitor the presence of the MAC address relative to its scanners and pinpoint the customer’s location.”
While this data wouldn’t personally identify the user it raises concerns about data protection practices on these devices, said lead researcher Andrew Hilts.
The study also found that Garmin’s “Connect” app for iOS and Android does not use encryption when transferring user’s fitness data – leaving it vulnerable to hackers who could tamper with the user’s health data or privacy settings.
Additionally, two applications – Garmin’s “Connect” app for iPhone and Android users and Withings “Health Mate” app for Android – were found to have security vulnerabilities that could allow a hacker to access and tamper with user’s fitness data.
Hilts said researchers were able to prove that someone with enough know-how could actually alter a user’s fitness tracking results – adding steps to their daily counts, or even adding workouts they never did.
Why would someone want to fake their fitness tracking results, you might ask?
As the report points out, fitness tracker data is increasingly being used in a variety of legal scenarios – from court cases, to corporate wellness programs and health insurance policies.
Avner Levin, director at the Privacy and Cyber Crime Institute at Ryerson University, said the ability to tamper with fitness tracker data could lead to people using it negligently to qualify for health insurance, for example – especially in the U.S.
According to Hilts, while the report doesn’t point to much immediate danger for fitness tracker users, it points to a lack of concern over privacy on the manufacture’s side.
“You have thousands and thousands of people’s fitness data being transferred insecurely – so what does that say about companies’ concerns about people’s private data,” he said.
Fitbit, Intel (Basis) and Mio were all contacted by Open Effect regarding its study and engaged the researchers in a dialogue about the findings.
Fitbit expressed interest in implementing Bluetooth privacy features in its communications with the researchers.
Apple was not contacted because researchers found no technical vulnerabilities in the Apple Watch.
Both Hilts and Avner told Global News consumers should weigh whether they would feel comfortable with their workout data being accessed before making the decision to buy one of these devices.
“I think the concern would be what happens with my information whether it’s accurate or not. If you are concerned about it I would say consider not purchasing one at all,” said Avner.
“One thing consumers should do is carefully consider whether or not your fitness data needs to be sent over the internet. If you’re not concerned about competing with your friends, for example, you might be better off getting a device that doesn’t do that,” suggested Hilts.