Proving the Business Case for the Internet of Things

Major fitness devices leak personal information, say Toronto researchers

Steve Rogerson
February 16, 2016
Researchers at the University of Toronto have found major security and privacy issues in devices made by Basis, Fitbit, Garmin, Jawbone, Mio, Withings and Xiaomi. The research involved analysing data transmissions between the internet and apps for the fitness trackers.
The report shows that Bluetooth on seven fitness trackers studied leaks personal data that enable anyone near a device to track a user’s location over time. Researchers also found that certain devices by Garmin and Withings transmit information without encryption, leaking other personal data to anyone with the know-how to collect the leaks.
The researchers also analysed the Apple Watch and found no issues.
The report is a collaborative effort between Open Effect, a non-profit applied research group focusing on digital privacy and security, and the Citizen Lab at the Munk School of Global Affairs at UofT. Open Effect previously published research on the security of ad tracking cookies. It also developed Access My Info, an application that makes it easy for Canadians to file legal requests for access to their personal information.
“I hadn’t thought about the issues too much,” said Barb Gormley, a personal trainer whose clients use the devices, “that somebody could find me using my watch. The upside is they’re so great.” She uses a Garmin device. “I guess we’re maybe a bit blind that there could be a downside.”
The downside, said Andrew Hilts, one of the report’s authors, stems from the fact that each device has a unique identifier emitted constantly via Bluetooth, even after users think they’ve stopped using it.
Hilts, the executive director of Open Effect and a research fellow with the Citizen Lab at the Munk School, said that meant anyone – from savvy analytics firms or just someone in a coffee shop – could collect that unique identifier and, in some cases, collect location and a whole lot more.
“The perception might be, ‘Okay, I’m done with this. I’m turning off Bluetooth,’ but your tracker is still emitting this unique identifier, even if your phone has Bluetooth turned off,” Hilts said. “There is a Bluetooth privacy standard in place that provides specifications on how device manufacturers can protect the privacy of their users. We’re trying to encourage fitness tracking companies to adopt this standard.”
Most devices mentioned in the report do not implement Bluetooth privacy, leaving users vulnerable to location-based surveillance.
“We hope our findings will help consumers make more informed decisions about how they use fitness trackers, help companies improve the privacy and security of their offerings, and help regulators understand the current landscape of wearable products,” Hilts said.
Their findings come on the heels of a report by Professor Guy Faulkner and master's student Krystn Orr of UofT's Faculty of Kinesiology & Physical Education that examined the reliability of smartphone pedometer applications.
Released at the end of 2015, that research found an “unacceptable error percentage” in all apps compared with actual pedometers and urged “caution in their promotion to the public for self-monitoring physical activity and in their use as tools for assessing physical activity in research trials”.
The Citizen Lab and Open Effect researchers sought contact with the seven fitness tracker companies whose products exhibited security vulnerabilities. Fitbit, Intel (Basis) and Mio responded and engaged the researchers in a dialogue. Fitbit further expressed interest in exploring the topic of implementing Bluetooth privacy features in its communications with the researchers. Out of the devices studied, only the Apple Watch adopted the Bluetooth privacy standard.
The report’s authors – Hilts, Christopher Parsons and Jeffrey Knockel – revealed a third issue that arose in the Withings and Jawbone devices: users can falsify their own activity levels. The findings cast doubt on the reliability of data for insurance or other purposes.
“Maybe I’m naïve,” Gormley said. “Maybe an insurance company is conducting top-secret research on me and decide they don’t want to give me insurance. Should I be worried?”