The University of Edinburgh has released results from a new study that reveals how personal information can be stolen from Fitbit fitness bands.
Researchers analyzed the Fitbit One and Fitbit Flex wristbands, and discovered a way of intercepting messages transmitted between fitness trackers and the cloud servers where data is sent for analysis. This allowed them to access personal information and create false activity records, thus sharing unauthorized personal data with third parties.
These include online retailers and marketing agencies. As corporate wellness programs evolve, they include things like physical activity as a basis to offer discounts on insurance or rewards such as gift cards. Enterprising fraudsters could send such companies false activity data, thereby manipulating rates.
“These monetary incentives are being tied to and distributed based on user’s activity data,” said Dan Lyon, principal consultant at Synopsys, via email. “While the current monetary impact is small, the future is likely going to have this data being more and more valuable. Wearables in general are evolving to collect much more data to provide increased benefits, but this also increases the potential risks. Medical conditions, such as movement disorders, are currently being studied for early indicators related to physical activity through commercially available wearable devices. It may be possible to identify that people have movement disorders such as Parkinson’s disease through specific profiles or changes in things like a person’s walking gait or arm movements.”
If this kind of analysis can be performed now or anytime in the future, it could be used to determine whether a person has a specific medical condition; and, the impact of this to the individual could be raised healthcare premiums or even denied coverage due to pre-existing conditions. Further, once the data is in the hands of an organization, it could potentially be sold for other purposes.
“While this kind of big data potential is still in its infancy, the risks are real and need to be understood,” Lyon said. “The wearables and their data transfer, storage and analysis systems need to be designed to minimize the risks. Organizations need to address security and privacy through a comprehensive effort to build security into the entire development process. The Fitbit example highlights one element of good design in that they are able to release software updates to address the issue. The ability to deliver secure software updates is a crucial design element that many devices do not have."
The researchers have produced guidelines to help manufacturers remove similar weaknesses from future system designs to ensure users’ personal data is kept private and secure, and in response to the findings, Fitbit has developed software patches to improve the privacy and security of its devices.
“Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development,” said Paul Patras, a researcher at the School of Informatics and part of the team who uncovered the issue. “We welcome Fitbit’s receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services.”
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/