Fitness Trackers Leaking Personal Data?
Security lapses on various popular fitness tracking devices, may allow hackers access and manipulate user data, says a recent study.
A study of seven Android-based trackers by security firm AV-Test revealed several vulnerabilities in these devices similar to the ones that were found in an identical research a year ago. AV-Test reported that many of the devices lacked tamper protection or a secure connection.
Researchers said, Apple Watch notched a high rating because of its operating system, despite having some “theoretical vulnerabilities”.
All the seven Android devices tested by AV-Test, showed different levels of security. Some even allowed hackers to tamper user data.
The report said, like in the first test on fitness wristbands carried out last year, a large section of manufacturers continued with the same errors in the current test as well. They don’t seem to attach enough importance to the security of their devices, AV-Test said.
Xiaomi, Striiv, and Runtastic carried the highest risk among all the fitness tracking devices tested, with at least seven probable vulnerabilities on a scale of 10.
The report said that tracking of these products is rather easy. The devices offer erratic or absolutely no authentication or tamper protection. Besides, the code of the apps running on these devices, is not properly jumbled to secured data. Root certificates, the report said, can both monitor and manipulate the data traffic.
Xiaomi seems to be the worst of them all as it stores all its data unencrypted in its smartphones.
Researchers at AV-Test noted that fitness trackers should take security issues more seriously as these gadgets are moving beyond the use of casual athletes. Many health insurance companies use fitness tracking devices to set the rates or offer discounts.
Basis Peak, Microsoft Band 2, and Pebble Time were the three most secure devices in the test, with only two or three probable security issues.
Researchers said that the Apple Watch was almost impossible to track. But the device reveals some identifying characteristics in airplane mode, which shouldn’t actually be the case. Apple Watch mainly uses encrypted connections that are extra-secure. The Apple device, however, updates itself via an unencrypted connection.
While many of the tested devices revealed the whereabouts of their owners themselves, the accompanying apps leaked out a greater volume of personal information. For instance, some apps revealed login credentials and failed to provide security against interception, while transferring data to a smartphone, tab, wearable and the manufacturer’s own servers. AV-Test used a man-in-the-middle attack for pilfering data sent to and from the servers of the companion apps. This may just enable others to insert false data into the smartphone or wearables.
Fitness tracker manufacturers need to do more to protect user data, by securing their Bluetooth connection and revving the accompanying apps.
According to technology and business intelligence firm IDC, more than 75 million fitness trackers were sold all over the world in 2015. This year, the firm says, the number is likely to cross a 100 million.
Picture courtesy – darkdaily.com
by techtalks @TechTalks August 25, 2016 10:24 AM UTC