Apple Watch survives privacy test – fitness trackers reveal location, passwords
(Image Credit: iStockPhoto/bekisha)
In a test conducted by the University of Toronto’s Munk School of Global Affairs and its Citizen Lab, a wide range of wearable devices revealed data which can be used to find the exact location of a user, and even offered up passwords and usernames by installed apps.
The researchers conducted tests on eight devices; the Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and Xiaomi Mi Band. Despite being the only device which offers more than fitness tracking, Apple's smartwatch was the only device which did not reveal data.
Apple protected their device from attack by randomly creating false locations when prompted to hand over its MAC address via Bluetooth – preventing any form of tracking. Retailers use Bluetooth beacons to gather data on potential customers; but users could unknowingly be handing over their data unwillingly.
"In the course of our technical investigations into transmission security, data integrity, and Bluetooth privacy, we discovered several issues that confirm concerns about the potential uses of fitness tracking data beyond the typical case of a user monitoring their own personal wellness," read the study.
The study, Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security, was published by Canadian non-profit Open Effect. Perhaps more concerning is that apps installed on the devices often relinquished usernames and passwords, and were also vulnerable to being fed incorrect data via a "Man In The Middle" (MITM) attack whereby a hacker accesses transmissions between smartphones or company servers.
With some insurers looking to use wearable data in their premium quotes, a MITM could be used by a wearer to falsify the data and reduce their premium. "The fitness data generated by several wearable devices can be falsified by motivated parties, calling into question the degree to which this data should be relied upon for insurance or legal purposes," the study read.
Garmin's Vivosmart protected login credentials via HTTPS, but did not guard other data. Fitness data on the Jawbone Up 2 and Withings Pulse O2 were found to be easily manipulated.
Should user privacy be a priority for wearable manufacturers? Let us know in the comments.