Several of the most popular wearable fitness trackers have security flaws that could allow their wearers to be tracked and give hackers access to login credentials, data and even the ability to enter fake data, Canadian researchers said yesterday.
Of the 8 devices examined by researchers at Open Effect, a Toronto-based non-profit think tank, only Apple’s Watch failed to generate a unique Bluetooth identifier allowing the wearer to be tracked, they found.
The other 7 devices – the Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2 and Xiaomi Mi Band – enable tracking via Bluetooth even when the device is not connected to a smartphone, they found.
And all but 2 of the apps used with the devices to gather data and send it to databases were vulnerable, according to an early version of their report, “Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security.” Apple scored again with its Watch 2.1 app, along with Intel’s Basis Peak 1.14.0 app.
Six other apps allowed the researchers to use faked security certificates to access data encrypted and sent via HTTPS. The Garmin app was particularly exposed, using HTTPS only for signup and login, leaving all other data open to 3rd parties. The Jawbone and Withings apps allow users to falsify data, according to the report.