Fitbit devices are prone to vulnerabilities which could enable an attacker to access personal information and even create false activity records.
University of Edinburgh researchers developed a technique to exploit weaknesses in the device’s communication procedures to intercept messages transmitted between fitness trackers and cloud servers in order to bypass its end to end encryption and ultimately manipulate user data, according to a Sept. 15 post.
This attack could also be used by Fitbit owners themselves to manipulate data sent to insurance companies in an effort to obtain cheaper coverage from firm’s that reward physical activity.
Researchers notified Fitbit, who has since developed software patches for the vulnerabilities, and provided guidelines to help manufacturers remove similar weaknesses from future system designs to ensure users’ personal data is kept private and secure.
“Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development,” Dr Paul Patras School of Informatics said in the post. “We welcome Fitbit’s receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services.”
The attacks helps to highlight the growing importance of physical activity data, Synopsys Principal Consultant Dan Lyon told SC Media.
“While the current monetary impact is small, the future is likely going to have this data being more and more valuable,” Lyon said. “Wearables in general are evolving to collect much more data to provide increased benefits, but this also increases the potential risks.”
At the same time, Lyon warns the data collected by these devices could be misused by insurance companies as well if they detect that a patient may have movement disorders this information could then be relayed to raise a user’s premiums.
“The Fitbit example highlights one element of good design in that they are able to release software updates to address the issue,” Lyon said. “The ability to deliver secure software updates is a crucial design element that many devices do not have.”
Earlier this year, researchers developed attacks to manipulate accelerometers in devices like Fitbits to add extra step counts to the device using sound.