This post is also available in: heעברית (Hebrew)

Researchers detected serious security flaws in fitness trackers. Many of the fitness trackers track via GPS the kilometers the user run, measure heart rate and pulse or check if the user is asleep. “These data are not only used for the original purpose but are increasingly being used by third parties”, explains professor Ahmad-Reza Sadeghi, from the cybersecurity profile area (CYSEC) of TU Darmstadt, Germany.

Data collected by fitness trackers have been used as evidence in court trials in the US, and police and attorneys have started to recognize wearable devices as the human body’s “black box”.

Some health insurance companies recently started to offer discounts if the insured persons provide personal data from their fitness trackers. This could attract scammers who manipulate the tracked data to fraudulently gain financial benefits or even influence a court trial, says Sadeghi. This makes it all the more important that transmission, processing and storing of the sensitive personal data meet high security standards.

The university’s website reports that the study, in cooperation with the University of Padua (Italy), concentrated on manipulating the data on their way to the cloud server and examined the security of communication protocols.

Although all cloud-based tracking systems use an encrypted protocol like HTTPS to transfer data, the researchers were able to falsify data in all cases. Out of all 17 different fitness trackers examined, only devices from four manufacturers took some minor measures to protect data integrity, i.e. to ensure that data remain intact and unaltered. “These hurdles cannot stop a motivated attacker. Scammers can manipulate the data even with very little IT knowledge”, Sadeghi warns, as none of the trackers employ End-to-End encryption or other effective tamper protection measures when synchronizing data.

Five of the examined fitness trackers did not provide a possibility to synchronize fitness data with an online service. However, these manufacturers store the collected fitness data in plain-text, i.e. un-encrypted and readable by everyone, on the smartphone which introduces a potential risk of unauthorized data leakage should the smartphone be stolen or infected with malware.