Enjoy our faster App experience

Fitness wearables and apps vulnerable to hacking, experts warn

Fitness wearables and apps vulnerable to hacking, experts warn

The problem of fitness device hacking has to be seen from two perspectives: from users and vendors.

By Nivriti Butalla - Senior Reporter

Published: Fri 26 Jun 2015, 2:04 AM

Last updated: Wed 8 Jul 2015, 3:09 PM

Dubai — “I keep my sleep data locked,” said Manoranjani Sampath, a PR professional, who wears a fitness device on her wrist and has been known to take up to 40,000 steps a day, all monitored by her wrist band.

The fitness band monitors Sampath’s daily exercise. Among other data recorded, it keeps a track of her calories consumed, burnt, steps taken and hours she’s slept.

There are others she knows who use these devices. And Sampath interacts with a group of 12 people — colleagues and friends — a team with whom she shares the data, sets goals, and swaps activity updates. The team members compare notes — who’s walked how much today, etc — and motivate each other.

Sampath though, like several users of fitness devices, is unaware that her fitness data could be hacked, and information stolen. It’s not something she’s considered. And says it’s “strange and scary that people can do that”. The only precaution she takes so far is to lock her sleep data, and she shares activity with only her closed circle of 12.

Now, while getting hold of someone’s sleep pattern data doesn’t seem all that perilous, the danger is that most fitness devices are hooked and synced to smartphones and tabs. So hacking fitness devices extends to extracting phone data, photos, emails and address books.

Mohamed Djenane, Security Specialist, ESET Middle East said: “Fitness trackers are designed to record every aspect of a users daily life — how much they exercise, eat, sleep and even vital statistics such as blood pressure and heart rate”.

Djenane added: “In the wrong hands this data can be used for aggressive targeting advertising while personal data shared by these devices such as the users name and age can even be used for identity theft. And while most fitness trackers don’t have in-built GPS sensors, their interaction with your smart device can potentially broadcast your location information, which opens avenues to cyber and even physical stalking.”

According to Djenane, the security vulnerability arises out of the use of Bluetooth Low Energy (BLE) technology, which connects these devices to things like smartphones and tablets.

But as you get fit, your security turns out of shape.

Secure security

Mohammed Amin Hasbini, a senior security researcher, Global Research and Analysis Team, Middle East, Turkey and Africa, Kaspersky Lab, has two fitness devices at home. He thinks they are amazing, and have a lot of advantages “but security isn’t one of them.” 

Hasbini said: “We need to be careful when addressing the smart concept. Smart cities, smartphones, smart fitness devices — especially in Dubai, with the move towards smart infrastructure… everything smart is prone to hacking.

“Smartphones and fitness devices are just an introduction for a hacker to get into your future devices, your banking information,” says Hasbini.

“Any wearable device, even a smartwatch,” he says, “can be misused by a hacker; especially if it has a microphone and a camera.”

The problem of fitness device hacking has to be seen from two perspectives: from users and vendors.

“Vendors,” he says, “unfortunately are too busy advancing features and functionality, to really care about security.”

It’s up to the users to be careful. Hasbini is a great advocate of not installing too many apps on your devices, and not clicking the ‘I accept’ permission granting too often.

Some vendors beg to differ.

Defending allegations of possible lax security, Jawbone, one such company that makes these fitness bands, said: “We take security extremely seriously. We provide two versions of the UP Band. One connects through the audio interface on the phone, providing a secure connection without utilising any wireless functionality. The second — the UP24, UPmove, UP2 & UP3 bands — provides a wireless connection using BTLE and we have put in place additional security mechanisms to provide a secure wireless connection. In addition, our phone-to-band wireless protocols have been independently audited by a third party security firm”. 

From fitness wrist band to fit chest band

Adil Firdosh Firoz, a 23-year old account executive with a maritime logistics company, wore one particular fitness device for a year on his wrist before he gave it up two weeks ago. Firoz had a goal of losing 5 kgs in four months, which he did. (When asked wouldn’t he have been able to lose that in any case, with or without a fitness device, he said he would have been, but “I wouldn’t have been able to track the loss on a daily basis. The device serves as a log book.”)

Now, Firoz wears a belt around his chest, another fitness device, that suits him better, as his fitness goals have changed from weight loss to muscle building.

“I’m a gym lifter now, I couldn’t monitor my goals anymore with a footsteps tracker.”

But is he aware of the security threat of wearables?

“Yes,” he said.

He is aware of the information that can be hacked, and he keeps what he can on the locked option, with high security. It matters to him if his phone information gets into the wrong hands, especially the photo library and contacts list.

Email is less of a concern as “I keep changing my email password.” 

Djenane said: “An app and a smartphone are enough for hackers to intercept private data. Researchers actually uncovered cases of the fitness apps communicating with multiple remote servers, which raises questions of what companies could be doing with the information that is being collected”.

The take-away for users is that new and emerging technologies usually have associated IT security risks. Unfortunately, as Djenane pointed out, hackers seem to uncover these faster than device manufacturers.

 Secure yourself

1.    To overcome ‘location stalking’, don’t use your real name. It is safer instead to use an alias.

2.    Opt for a device that on transmits data when you turn on the Bluetooth/Wi-Fi connection.

3.    There are models, which sport ‘sync’ buttons that do exactly this and as an added bonus, this saves battery life.

4.    Exercise restraint when sharing achievements on social media. While popular fitness trackers encourage users to share their accomplishments, it is data that can be used as fodder for cyber stalking and social exploitation

5.    Many of these devices connect to apps, which in turn require you to set up an account and password. It is therefore advisable to use a strong password that consists of a mix of upper and lower case letters and special characters

6.    Be wary of the permissions the app requests. For example, a fitness app that requires access to your contact list should raise alarm bells

(Source: Mohamed Djenane, Security Specialist, ESET Middle East)


More news from