Wearable technology devices can measure heart rate, count steps and track sleeping habits — but they can also reveal a wealth of sensitive information about their users’ daily activities to hackers.
Gadgets in the fitness tracker industry are insufficiently secured and could leak personal information to third parties, a new study from the University of Edinburgh distributed by the National Bureau of Economic Research found. Scientists there looked at two top selling models from Fitbit and found data could be intercepted as it was being transmitted from devices to cloud servers where it is sent for storage and analysis. The researchers were also able to bypass end-to-end encryption and access information on the device itself by physically taking it apart.
“Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development,” Dr. Paul Patras, assistant professor at the University of Edinburgh’s School of Informatics, said in a statement.
Fitbit is working with the researchers to patch the issues raised by the report, a company spokesperson told MarketWatch. The company said it is not aware of any data that was actually compromised by these issues.
“We are proud to be recognized by the researchers for employing the most effective security mechanisms in our products when compared to other vendors,” the spokesperson said. “The trust of our customers is paramount and we carefully design security measures for new products, continuously monitor for new threats, and diligently respond to identified issues.”
Although demand for wearables fell slightly in late 2016 the value of the market is expected to grow to $51.6 billion by 2022 from $15.74 billion in 2015. At its launch event last week, Apple chief executive Tim Cook claimed the Apple Watch is now the most-used heart rate monitor in the world. As more people buy wearables and the capabilities of the devices expand, it is important companies continually update security, said Ramon Llamas, research manager of wearables and mobile phones for market research company International Data Corporation (IDC).
“There are two kinds of companies in the world: Those that have been hacked and those that are about to be hacked,” he said. “Almost any device can be hacked, let’s acknowledge that and realize what’s at stake here.”
Information like the number of steps a user takes or calories they burn in a day may not be useful to a hacker, but the metadata from the device — or information that can be derived from the data — is valuable. Through wearable data, bad actors could see what time a user sleeps, where they go, and when they are out of the house. This could leave them vulnerable to theft and abuse.
Some devices also share and store sensitive medical data, putting people at higher risk if hacked, Llamas said. The recent hack of Equifax shows just how many places are at risk, he added. “Anything can be hacked,” he said. “And the more data you keep on a device, the more value it has to you and the more value it has to hackers. If it can happen to [Equifax], it can happen to you.”