Are fitness trackers fit for security?
Researchers at the Technical University of Darmstadt (TU Darmstadt) in Germany conducted a study investigating fraud opportunities within fitness trackers and detected serious security vulnerabilities.
Many trackers monitor distances run, measure heart rate and pulse, and check if the user is asleep, but "these data are not only used for the original purpose but are increasingly being used by third parties," says TU Darmstadt professor Ahmad-Reza Sadeghi. He notes data collected by fitness trackers has been used as evidence in court trials, and some health insurance companies recently began offering discounts if insured persons provide personal data from their trackers. Sadeghi says these practices could attract scammers who manipulate the tracked data to fraudulently gain financial benefits or influence a court trial.
The researchers investigated the security of fitness trackers by manipulating the data on their way to the cloud server using a man-in-the-middle attack and examined the security of communication protocols used by the fitness trackers. They found although all cloud-based tracking systems use an encrypted protocol to transfer data, they were able to falsify data. The flaws could be corrected with known standard technologies, but Sadeghi says, "the manufacturers have to put some more effort in employing these technologies in their products."