We do know that the inherent flaws in wearable devices especially the fitness trackers can prove to be detrimental to our security because of the nature of data these devices register. Since these devices provide information like calories burned, heart rate, sleep duration, and miles walked, therefore, these are becoming increasingly popular among fitness enthusiasts all over the world. However, what if such sensitive data lands into the wrong hands due to a vulnerability or weakness found in the device itself?
According to a study published by the University of Edinburgh’s computer research team on Thursday, it is about time that manufacturers try to augment the security and reliability of these products to ensure an optimal protection of user data otherwise the consequences could be alarming. Through exploiting the vulnerabilities found in the communication mechanism of these gadgets, it is possible to conduct unauthorized sharing of this data with third parties such as marketing firms, online retailers, and other stakeholders.
The abovementioned study is a joint effort between the University of Edinburgh researchers and researchers from Germany and Italy. To prove their point, researchers conducted an in-depth security analysis of two of the most famous wearable fitness tracker models namely Fitbit One and Fitbit Flex wristbands. Fitbit manufactures both.
The analysis revealed that there was indeed a way through which communication between the fitness tracker device and cloud server could be intercepted. It is worth noting that the data captured by the fitness tracker device is transmitted to a cloud server for further analysis. Hence, by intercepting their communication, it is quite easy for anyone to access personal information and also generate fake activity logs/records.
The researchers also demonstrated that the end-to-end encryption system that is responsible for protecting the data on the device could be circumvented. It was possible by dismantling the device and changing the information stored in the device’s memory. This way, the encryption was bypassed, and the stored data was accessed.
Thus, it was proven that the security and privacy maintaining features embedded into these fitness tracker devices were not as efficient and effective in performing their job. When Fitbit was notified about the startling findings of the study, the company responded immediately by promising software patches for improving the security of its devices. University of Edinburgh’s School of Informatics’ Dr. Paul Patras claimed that this was a welcome change in the attitude of manufacturers.
“Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development. We welcome Fitbit’s receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified, and the timely manner in which they have improved the affected services,” said Dr. Patras.
An official statement from Fitbit with regards to this matter read: “We are always looking for ways to strengthen the security of our devices, and in the upcoming days will start rolling out updates that improve device security, including ensuring encrypted communications for trackers launched before Surge. The trust of our customers is paramount, and we carefully design security measures for new products, continuously monitor for new threats, and diligently respond to identified issues.”