Worldwide, the popularity of fitness trackers is growing and in the first quarter of 2016, nearly 20 million fitness trackers have already been sold. A device that looks like a normal watch, but the so called fitness trackers can collect data on their users’ lifestyle and health status to help them with training or losing weight. Many of these collect data on the distance the user runs, measure heart rate and pulse or check if the user is asleep via GPS.
Data collected by fitness trackers have been used as evidence in court trials in the US, as reported by Forbes Magazine in 2014. Police and attorneys have started to recognize wearable devices as the human body’s “black box,” the NY Daily News wrote in April 2016. Some health insurance companies even offer discounts to the insured persons if they provide personal data from their fitness trackers. This prompted Ahmad-Reza Sadeghi, system security professor at the cybersecurity profile area (CYSEC) of TU Darmstadt and his team to scrutinize these devices for their security flaws. “As these wearables are used by third parties it could attract scammers and fraudsters who may manipulate the tracked data to gain financial benefits or even influence a court trial, says Sadeghi. This makes it all the more important that transmission, processing and storing of the sensitive personal data meet high security standards.
Among the 17 different fitness trackers they examined, only devices from four manufacturers ensured that the data remained intact and unaltered. Although, all cloud-based tracking systems use an encrypted protocol like HTTPS to transfer data, none of the trackers employ end-to-end encryption or other effective tamper protection measures when synchronizing data. Five companies did not provide a possibility to synchronize fitness data with an online service, and store the collected fitness data in plain-text, i.e. un-encrypted and readable by everyone, on the smartphone which introduces a potential risk of unauthorized data leakage should the smartphone be stolen or infected with malware. Read more.
As an inference to the study conducted, Sadeghi suggests third parties to be cautious while taking this data as a supportive evidence, and as a solution to fix these flaws, requests manufacturers to employ stringent technologies in their products.