New Research Warns of Security Lapses in Popular Fitness Trackers

The wearable technology boom may take a hit after a February 2 report warned that many leading fitness trackers, including products from Fitbit, Garmin, Jawbone, Mio, Xiaomi, Basis, and Withings, hold major security and privacy blind spots.

The report, conducted by Canadian non-profit research group, Open Effect, and Citizen Lab at the Munk School of Global Affairs, University of Toronto, found that among the studied wearables mentioned above (plus the Apple Watch), all except Apple emitted data leakage.

Titled Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security, the research was authored by Andrew Hilts, Christopher Parsons, and Jeffrey Knockel, and funded by the Office of the Privacy Commissioner of Canada.

The report indicates that third parties, like shopping centers and those looking for location-based monitoring, can collect and map wearers’ movements (among other stats).

Photo courtesy Open Research

Chart courtesy Open Effect, Every Step You Fake

“Our findings directly relate to the case of shopping centers that scan for Bluetooth devices to monitor customer journeys as they move from store to store. As an example, a mall visitor wearing a Fitbit Charge HR might have turned off their phone’s Bluetooth radio to save power, or forgotten their phone at home or in the car. In either case, the Fitbit device would emit advertising packets detectable by the shopping centre’s scanning. Since the Fitbit does not change its MAC address the shopping center can monitor the presence of the MAC address relative to its scanners and pinpoint the customer’s location. The shopping center could record all this location data for future study.”

The report concluded:

“Few customers are likely to consider, to consent to, these scenarios as they enter shopping centers and begin invisibly broadcasting their location to small sensors throughout their built environment.”

The news shines a brighter spotlight on wearables and other fitness apps that are increasingly recording more sensitive data than just steps — including sleeping times and patterns, geological information, foods consumed, and connections to social media accounts.  It’s also raising anxiety among consumers on what exactly wearable companies can do with consumer data. Many observers have said that the real value for wearable brands isn’t the product, but the data.

Just last week, Under Armour CEO Kevin Plank touted the brand’s new Connected Fitness apps as not only “enriching lives” by helping users reach their fitness goals, but also as “a business transformation for Under Armour.” Before Connected Fitness, the company only had retail transaction information for less than 10 million people. Now, Plank said, Under Armour has daily activity level data from its community members, who logged nearly 8 billion foods and 2 billion activities last year alone.

Within the recent report, some applications by Garmin and Withings were found to expose not only fitness tracking, but biographical material like name, age, and gender, via transmitting information without encryption. Another red flag was the possibility found in some applications to falsifying activity levels, which could result in unreliable data for insurance purposes.

Brands named in the report told SGB Weekly the research exaggerates the dangers.


Withings CEO said, “The transmission of data using BLE (Bluetooth Low Energy) described by the Open Effect research is not a constant stream but occurs when the device syncs with a users’ smartphone… and no identifying information is contained within these transfers.”

“Withings does not believe any customer is at risk of having their location tracked over the long term using the Withings Pulse O2,” Withings CEO, Cedric Hutchings said. “The transmission of data using BLE (Bluetooth Low Energy) described by the Open Effect research is not a constant stream but occurs when the device syncs with a users’ smartphone… and no identifying information is contained within these transfers.”

The researchers sought contact with the seven fitness tracker companies whose products exhibited security vulnerabilities. Fitbit, Intel (Basis), and Mio responded and engaged the researchers in a dialogue. Fitbit further expressed interest in exploring the topic of implementing Bluetooth privacy features in its communications with the researchers.

“Based on our devices, we don’t think the public should be concerned, said Julian Palmer, director of technology at Mio Global. “Our devices only transmit workout data, activity data,and sleep data. No other personal profile or identifying information can be intercepted as it isnot transmitted from our devices.”

In regard to retailers who may deal with a backlash from concerned fitness-tracking consumers, Palmer offered this advice to share with customers: “Users have a choice to opt-in to share their data. Plus, our data analysis is anonymized, meaning we are not analyzing personal information specific to any particular user.”

Internally, Mio currently uses consumer data to gain insights on how to improve the user experience, Palmer explained.

Garmin also weighed in, telling SGB that the company is continually working on software and device improvements. “We are committed to responding quickly to identified issues, and areworking diligently to provide an updated version of Garmin Connect Mobile with enhanced dataencryption,” said the company. “These updates for Android, iPhone, and Windows applications are expected to be complete and available for download by next week at the latest. We are notaware of any security incidents related to this issue.”

In the end, the authors of the turbulent study said the purpose was to help consumers make more informed decisions about how they use fitness trackers, and to help companies improve the privacy and security of their offerings.