Fitbit fitness trackers vulnerable to data theft
All those health freaks wearing Fitbit fitness bands BEWARE, as vulnerabilities in your device that track heart rate, steps taken and calories burned could enable a hacker to steal your personal information and data.
To prove this point, a team at the University of Edinburgh carried out a detailed security investigation of two popular models of wearable fitness trackers, Fitbit One and Fitbit Flex, made by Fitbit.
Fitbit secures its devices with end-to-end encryption. However, when Fitbit One and Fitbit Flex were modified to bypass encryption system, the researchers were able to gain access to stored information proving that these devices provided no protection against the hack. In other words, such an access could allow illegal sharing of personal data with third parties such as marketing agencies and online retailers. Also, it will allow fraudsters to create fake activity records by manipulating the data in order to obtain cheaper insurance policies with lower premiums.
Researchers notified Fitbit, who has since updated its software to fix the vulnerabilities to improve the privacy and security of its devices.
“We are always looking for ways to strengthen the security of our devices, and in the upcoming days will start rolling out updates that improve device security, including ensuring encrypted communications for trackers launched prior to Surge [summer 2016],” the company said in a statement.
“The trust of our customers is paramount and we carefully design security measures for new products, continuously monitor for new threats, and diligently respond to identified issues.”
Dr Paul Patras, of the University of Edinburgh’s School of Informatics, who took part in the study, said: “Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development. We welcome Fitbit’s receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services.”
The findings will be presented at the International Symposium on Research in Attacks (RAID) on 18-20 September. The research was carried out in collaboration with Technische Universitat Darmstadt, Germany, and the University of Padua, Italy. The Edinburgh researchers were part-funded by the Scottish Informatics and Computer Science Alliance.