New study reveals how personal data can be stolen from Fitbit devices

The University of Edinburgh have released results from a new study that reveals how personal information can be stolen from Fitbit fitness bands.

Researchers analyzed the Fitbit One and Fitbit Flex wristbands, and discovered a way of intercepting messages transmitted between fitness trackers and cloud servers – where data is sent for analysis. This allowed them to access personal information and create false activity records.

Commenting on this, Dan Lyon, principal consultant at Synopsys, said:

The recent article on Fitbit highlights a vulnerability that enables someone with physical access to the Fitbit to extract specific data from the device. Currently the attack requires physical access, and is limited to acquiring a limited amount of data, however it helps to highlight the growing importance of physical activity data.

As corporate wellness programs evolve, they are including things like physical activity as a basis to offer discounts on insurance or rewards such as gift cards. These monetary incentives are being tied to and distributed based on user’s activity data.  While the current monetary impact is small, the future is likely going to have this data being more and more valuable. Wearables in general are evolving to collect much more data to provide increased benefits, but this also increases the potential risks.

Medical conditions, such as movement disorders, are currently being studied for early indicators related to physical activity through commercially available wearable devices. It may be possible to identify that people have movement disorders such as Parkinson’s disease through specific profiles or changes in things like a person’s walking gait or arm movements.

If this kind of analysis can be performed now or anytime in the future, it could be used to determine a person has a specific medical condition. The impact of this to the individual could be raised healthcare premiums or even denied coverage due to preexisting conditions. And once the data is in the hands of an organization, it could potentially be sold for other purposes.

While this kind of big data potential is still in its infancy, the risks are real and need to be understood. The wearables and their data transfer, storage and analysis systems need to be designed to minimize the risks. Organizations need to address security and privacy through a comprehensive effort to build security into the entire development process. The Fitbit example highlights one element of good design in that they are able to release software updates to address the issue. The ability to deliver secure software updates is a crucial design element that many devices do not have.