Fitbit issues security patch to protect users’ personal data following report.
Fitness bands may be able to track heart rates and step counts pretty well, but a new study suggests they could improve at safeguarding users’ personal and biometric data.
Researchers from the the University of Edinburgh found that vulnerabilities in devices that are used by consumers to track heart rate, steps, calories and sleep stages, including popular devices made by Fitbit, may pose certain threats to the privacy and security of the data they record.
Malicious actors that exploit these security weak spots could share personal data without authorization to third parties, such as online retailers and marketing agencies, according to the study.
Submit Your Nominations For The SportTechie Awards!
The gadgets could also be targeted to create fake health records. By sending insurance companies false activity data from other users, fraudsters could potentially obtain cheaper insurance rates from the types of insurers that reward physical activity with lower premiums.
The Edinburgh researchers, which carried out an in-depth security analysis of two fitness trackers made by Fitbit, said they discovered this via a loophole that allowed messages transmitted between fitness trackers and cloud servers to be intercepted.
The encryption that keeps the data secure on the device itself was also found to have weaknesses. Bad actors could dismantle devices by modifying information stored in their memory, thus bypassing the encryption system and gaining access to stored data.
Fitbit said it’s “very aware” of the report and has collaborated with the researchers to roll out updates to address the issues raised. To date, Fitbit said it is not aware of any “actual compromise of user data” that has occurred due to these issues.
“We are always looking for ways to strengthen the security of our devices,” a Fitbit spokesperson said in the company’s online community forums.
All Fitbit devices since the 2015 launch of Fitbit Surge have used end-to-end encryption to protect the data stored on devices. The software patches Fitbit said it’s rolling out in response to this report include encrypting communications for trackers launched prior to Surge.
Guidelines provided by the Edinburgh researchers to Fitbit and other device manufacturers include ensuring weaknesses such as these are absent from future system designs.
