New Research Says Fitness Trackers and Their Apps Are Transmitting Data About Us

A startling study by a Canadian research team has revealed that some popular types of fitness trackers actually transmit a signal via blue tooth. It is believed that this ‘identifier’ signal could be picked up by the kinds of beacons that are now being used by retail stores and shopping centres to track, recognise and profile customers.

The research team also discovered that the apps that accompany these ‘sports wearables’ could be leaking our login credentials and are transmitting our activity tracking information in a non-secure way, thus leaving it open to interception and tampering.

Which Devices?

The devices named in the research as those that transmit the signal and potentially ‘leak’ data include Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2 and Xiaomi Mi Band.

One device that the researchers found not to be transmitting any identifier signal however was the Apple Watch which actually used part of the Bluetooth LE standard to prevent external tracking by changing MAC addresses.

How Was This Discovered?

The Citizen Lab at the Munk School of Global Affairs, University of Toronto who carried out the research used what is known in cryptography and computer security as a man-in-the-middle attack where a third party relays and possibly alters the communication between two other parties.

In this case the researchers found that they were able to use fake security certificates to spy on traffic between the apps and the servers for all of the fitness devices’ apps apart from those for Apple's Watch 2.1 and Intel's Basis Peak 1.14.0.

It is believed that the Apple and Intel devices and apps proved more secure in this research because they use the ‘certificate pinning’ technique which means that they can’t be fooled by fake security certificates.

What Could This Mean For Businesses?

For any businesses that are able to collect and link this data to us as individual consumers it could conceivably mean the ability to target us with offers and information for other relevant goods and services, or even to share those details with third parties.

One worrying aspect however is that under European data protection law the data that these fitness devices generate could be considered personal information, and therefore the device should be more secure.

Breaches of personal data security could possibly therefore lead to sports device companies facing legal challenges from users if it could be proven that their personal data had been stolen through the device or app.

It is also conceivable that although these devices are not considered ‘medical devices’ the data from them about us could have a value to medical or insurance based organisations if it could be accurately linked to us.