Could your Fitbit be vulnerable to a hacking attack? Yes it could, according to a research team from the University of Edinburgh. Vulnerabilities in fitness tracking devices – which commonly monitor heart rate, steps taken, and calories burned – could threaten the privacy and security of the data they record, scientists say.
Exploiting security weak spots in the communication procedures of some gadgets could allow for unauthorised sharing of personal data with third parties, including online retailers and marketing agencies. They could also be targeted to create fake health records, enabling fraudsters to obtain cheaper cover from insurers that reward physical activity with lower premiums.
The Edinburgh-based team carried out an in-depth security analysis of two popular models of wearable fitness trackers made by Fitbit, discovering a way of intercepting messages transmitted between fitness trackers and cloud servers. This allowed them to access personal information and create false activity records. They also demonstrated how to circumvent the end-to-end encryption system on the device that is implemented to keep data secure. By dismantling the devices and modifying information stored in their memory, researchers bypassed the encryption system and gained access to stored data.
As a result of the study, researchers have produced guidelines to help manufacturers remove similar weaknesses from future system designs to ensure users’ personal data is kept private and secure. In response, Fitbit has now developed software patches to improve the privacy and security of its devices.
Dr Paul Patras, Lecturer for the University of Edinburgh’s School of Informatics, said: “Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development. We welcome Fitbit’s receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services.”
The findings will be presented at the International Symposium on Research in Attacks (RAID) on 18-20 September. The research was carried out in collaboration with Technische Universitat Darmstadt in Germany, and the University of Padua in Italy. The Edinburgh researchers were part-funded by the Scottish Informatics and Computer Science Alliance (SICSA).