Is Your Fitness Tracker Putting Your Security At Risk?

Gavin Phillips 19-04-2016

Considering where our data is going to leak from is a difficult task. We take the necessary precautions across our devices, installing antivirus software, running malware scans, and hopefully double- and triple-checking emails for anything suspicious. These are only a few of the potential attack vectors awaiting us.


Security researchers have revealed that aside from our “regular” devices, one of the newest forms of technology could be providing attackers with an unexpected but easily-accessible angle to steal our personal data. Fitness trackers have recently come under the security spotlight after a technical report highlighted a series of serious security flaws in their designs, theoretically allowing potential attackers to intercept your personal data.

Fatal Fitness Flaws

Fitness trackers have seen an unprecedented rise in popularity 17 Best Health and Fitness Gadgets to Improve Your Body Over the past few years, innovation around health and fitness gadgets has exploded. Here are just a few of the amazing pieces of kit you'll be able to use to keep you feeling great. Read More throughout the last few years. The 4th quarter of 2015 alone saw a massive 197% rise in year-on-year sales, from 7.1 million to 21 million units. Market analysts Parks Associates estimate the global fitness tracker market will continue to grow, rising from $2 billion in 2014 to $5.4 billion in 2019. These are significant gains, indicating the number of users potentially exposing themselves to this previously-unknown attack vector.

Fitness Trackers Included in Study#

Canadian not-for-profit research organization Open Effect, and interdisciplinary research laboratory Citizen Lab, examined eight of the most popular fitness wearables currently available: the Apple Watch, the Basis Peak, the Fitbit Charge HR, the Garmin Vivosmart, the Jawbone UP 2, the Mio Fuse, the Withings Pulse O2, and the Xiaomi Mi Band.

The combined research report sought to discover the steps the technology companies are taking to protect and maintain your data security. While we know and understand fitness trackers will collect heartbeats, footsteps, calories, and sleep data, the researchers explored just what happens to that data when it is in the hands of the device developers.


What data is sent to a remote server? How do the technology companies secure the data? Who is it shared with? How do the companies actually make use of the information?

Key findings included:

  • Seven out of eight fitness tracking devices emit persistent unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device.
  • Jawbone and Withings applications can be exploited to create fake fitness band records. Such fake records call into question the reliability of that fitness tracker data use in court cases and insurance programs.
  • The Garmin Connect applications (iPhone and Android) and Withings Health Mate (Android) application have security vulnerabilities that enable an unauthorized third-party to read, write, and delete user data.
  • Garmin Connect does not employ basic data transmission security practices for its iOS or Android applications and consequently exposes fitness information to surveillance or tampering.

Persistent Unique Identifiers

Wearable technology emits a persistent Bluetooth signal. Whether smartwatch or fitness tracker, this signal is used to consistently communicate with your smartphone. Their communication with the external device is maintained using a MAC (Media Access Control) Address IP and MAC Address: What Are They Good For? The internet isn't so different from the regular postal service. Instead of a home address, we have IP addresses. Instead of names, we have MAC addresses. Together, they get the data to your door. Here's... Read More , uniquely identifying the fitness tracker.

Example MAC Address


In the context of fitness trackers, personal data security maintenance demands these addresses be randomized to ensure the user cannot be tracker and identified by the MAC Address. Bluetooth beacons, used with increasing frequency in shopping malls to create targeted mobile advertising, can track and profile those devices using a single MAC Address (they can also be built by anyone with a suitable, compact computer Build a DIY iBeacon with a Raspberry Pi Advertisements targeted to a particular user walking through a metropolitan center are the stuff of dystopian futures. But that isn't a dystopian future at all: the technology is already here. Read More ). Indeed, of the devices tested only the Apple Watch randomized its MAC Address “at an approximately 10 minute interval” to protect its user’s identity.

With the persistent MAC Address logged, the user’s location could feasibly be tracked from beacon to beacon. If a shopping centre decides to collect user location information throughout their shopping visit, the data could be sold to a marketing agency, or other data broker, without first notifying the user. If a single data broker can purchase multiple profiles, information can be collated to build sophisticated targeted advertising profiles, activated each time the user (and their unique device identifier) enters the building.

The Apps Are Just As Bad

Each fitness tracker comes with its own monitoring app, capturing the plethora of fitness-related data and translating it into a nice visual depiction of the users actions. However, the apps themselves have been found to leak personal information, at multiple transmission locations.

Fitness Tracker Security Protocols


For instance, one would expect any transmission of personal data to be encrypted using HTTPS at the very least What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More ; the Garmin Connect failed to do even that, leaving user data passively exposed to a potential eavesdropper.

Similarly, although the Bellabeat Leaf and Withings Health Mate communicate with remote servers using HTTPS, both companies sent plaintext emails to users to confirm their sign-up credentials, leaving users open to man-in-the-middle attacks. Any attacker with a working knowledge of the Bellabeat or Withings API could access a wide range of personal fitness information in minutes. This form of attack could also be used to push malicious or false data to the wearable or the user’s phone, too.

Data Tampering

Three of the fitness tracker apps observed “were vulnerable to a motivated user creating false generated fitness data for their own account,” tricking company servers into accepting fake data. Open Effect and Citizen Lab created several applications designed to trick the fitness tracker servers into accepting false information, with Bellabeat LEAF, Jawbone UP, and Withings Health Mate coming up short.

“We sent a request to Jawbone stating that our test user took ten billion steps in a single day”

Their application evenly distributed step timings into fixed intervals over a desired timeframe, creating an artificial distribution of steps. The researchers concluded a more sophisticated approach would “randomly allocate steps to establish a more realistic-looking distribution” to further escape detection.


Why Is This A Problem?

Fitness trackers can maintain a continual stream of personal data collection How Much of Your Personal Data Could Smart Devices Track? Smart home privacy and security concerns are still as real as ever. And even though we love the idea of smart technology, this is just one of many things to be aware of before diving... Read More . Common data collection vectors include footsteps, heartbeat, sleep patterns, elevation, geolocations, quality of activities, and types of activities.

Some of the fitness trackers encourage their users to engage in additional fitness or social activities, such as specifying food for calorific counting and analysis, personal mood at specific times of the day (also in relation to activities and food consumption), to log their fitness goals 10 Excel Templates To Track Your Health and Fitness Read More and track progress over time Track Key Areas of Your Life In 1-Minute with Google Forms It is amazing what you can learn about yourself when you take the time to pay attention to your daily habits and behaviors. Use the versatile Google Forms to track your progress with important goals. Read More , or to compete against other fitness enthusiasts in gamified social media-styled dashboard environments The Best Social Fitness Apps to Work Out With Friends Social fitness apps are one of the best ways to stay accountable. Here are the best social fitness apps to work out with friends. Read More .

The issues raised by Open Effect and Citizen Lab illustrate the dangers in relying on fitness trackers to provide reliable personal data in a range of situations. Fitness tracker data has been used to secure insurance policies, or represent progress made with medical problems, yet we see the data could easily be falsified.

Furthermore, do these data issues make the very nature of these fitness tracker technology companies questionable? How do these poor attempts at data protection translate to their other products? The problem is not bound to fitness trackers alone, and more should be done by both citizens and regulators to ensure user data is protected at all times, lest we find entire industries undermined by their seeming lack of care and discretion with private data.

What Next?

The report findings are clear: increased security based upon the recommendations of Open Effect and Citizen Lab. Personal and private security is serious, and we should address issues as they arrive. But it isn’t only enhanced security that is needed. Fitness tracker users need to understand where their data is sent to, where it is stored, and which other parties have access to it.

The onus is on the technology companies to communicate with their users the full depth of technical surveillance they have acquiesced too, whether they realize it or not, along with its potential risks.

Is it time to throw your fitness tracker away? Probably not, especially if you have an Apple Watch Not The Apple Watch: 9 Other iPhone-Friendly Wearables The announcement of the Apple Watch was big news, but it's far from the only wearable device designed to be used with an iPhone. Read More . Despite mixed reactions toward the findings of the technical report from the fitness tracker manufacturers, it is unlikely that these vulnerabilities will exist for long.

Or, we can at least hope they will not exist for long.

Are you worried about your fitness tracker? Have you lost data through wearable technology? What happened? Let us know below!

Related topics: Fitness, Online Security, Wearable Technology.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Shelly
    January 20, 2017 at 2:56 am

    What's your opinion of the Bellabeat Leaf and how to maximize privacy while using it?

  2. fitness tracker market
    December 26, 2016 at 11:17 am

    The fitness tracker is a great device that can reduce your health property.

    • Gavin
      December 26, 2016 at 2:13 pm

      Sure. Though I think you might mean "reduce your weight" or "increase your health" rather than "decrease your health." The latter isn't so good. Thanks for reading and commenting!

  3. Kannon Yamada
    April 20, 2016 at 12:57 pm

    Gavin, this is a really excellent article. You've covered a really wide breadth of subjects and content. I learned a lot. Thank you.

    • Th15
      November 26, 2016 at 3:13 pm

      I can still see your toes. Perhaps with a little more effort, you'll be able to fit your entire body Inside his ass.

      • Gavin
        December 1, 2016 at 11:47 am

        Wow. That's really unfair. I'm not sure why you felt the need to comment. In future, think before typing.

  4. Anonymous
    April 19, 2016 at 5:05 pm

    Of course it is much more convenient to use a fitness tracker to record your workouts rather than a Casio Runner's watch and a paper log book. But convenience comes at a price - security and privacy. Whether convenience at the expense of security and privacy is a price worth paying is up to each individual. Unfortunately, most will opt for the convenience.

    Manufacturers WILL NOT make their devices more secure and WILL NOT stop collecting our personal data because that data is an additional income for them. ANY device with access to the Internet CAN and WILL be compromised. We cannot trust the technology we use.