Fitness trackers monitor your heartbeat and sleep, measure your steps, and connect the user to a larger ecosystem of goal-setting, diet-tracking and other health-related activities. But just how secure are these devices? How do they protect sensitive data such as the health information they collect about you?
These devices are designed to display aggregate fitness information automatically on connected mobile devices and, more often than not, on websites controlled by the manufacturers or service providers. This automatic collection and dissemination of data all began with the monitoring of steps a person took in a day.
From one person to millions of users is a huge jump but, as you have probably already encountered in your neighborhood, wearables and internet-connected physical devices, vehicles and home appliances – collectively called the Internet of Things (IoT) devices – are becoming increasingly popular. Talking just specifically about wearables, the numbers are staggering: between 2016 and 2017 vendors shipped an estimated 220 million units.
Considering the high adoption rate of wearables and the security flaws they carry, market research firm Gartner estimates that worldwide spending on IoT security will reach $1.5 billion in 2018 and $3.1 billion by 2021.
The Problem With Wearables
When it comes to hardware, seven out of eight wearable devices have shown signs of information leak, according to research led by Open Effect with significant contributions from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto. One of the existing problems is that these devices emit persistent unique identifiers – a Bluetooth Media Access Control address – that exposes their wearers to long-term location tracking.
While this can be addressed, what’s more alarming is that the applications aggregating the all data these devices collect have security vulnerabilities that enable unauthorized third parties to read, write, and delete user data.
Health Data Leaked
You might be surprised, but your credit card details aren’t the only valuable pieces of information that hackers are after. Health records can also be sold for good money on the dark web. In fact, healthcare data breaches have more than doubled in a single year, according to the 2018 Thales Healthcare Threat Report.
The report suggests that the digital transformation while enabling better healthcare also creates new risks that need to be addressed in order to protect user data. The use of the cloud, big data, and IoT devices allows organizations to better create and manage data and store information more efficiently, but how that data is stored, well, that’s what creates a problem.
The use of this technology creates the need to use third-party services such as a cloud vendor infrastructure or cloud-based platforms alongside internet-connected heart-rate monitors, implantable defibrillators, and the like. All these new technologies represent an attack opportunity for hackers.
To understand the risks, consider the popular MyFitnessPal data breach. Under Armour’s MyFitnessPal platform allows users to connect various other third-party fitness trackers to their account – such as the Endomoto Sports Tracker or Garmin Connect – meaning that it’s only necessary to access a single platform to collate all the data together. The problem is that MyFitnessPal alongside other similar platforms uses a web interface, meaning that your data isn’t stored locally on the device and could therefore end up exposed to hackers if not properly protected. It’s never good whenever your data is stored anywhere online, but especially so when we are talking about the data of 150 million people.
What Can You Do to Protect Your Data?
The only way you can be sure no stranger can access your data is by storing it locally, but this way you will miss out on many of the convenient features such fitness platforms provide. That’s why many users accept the threat that comes from being exposed but still take necessary measures to lower the risk.
The first line of defense is your password, so make sure you generate a unique, cryptographically secure password and store it using a password manager. Secondly, read the platform’s security policy and the measures that are taken to protect your data. You’d want to ensure at least a hash combined with salt (and pepper) is used to protect your data.
Best Password Managers of 2019