Science·Exclusive

Some fitness trackers vulnerable to monitoring, U of T study finds

Some of the top-selling brands of fitness trackers that monitor heart rates, sleeping patterns and movement are putting user data and privacy at risk, even when devices aren't being used for exercise and mobile apps are turned off, according to a new report.

Research raises questions about user privacy and possible falsified data

Is your fitness tracker spying on you?

9 years ago
Duration 1:39
Some fitness trackers that monitor heart rates, sleeping patterns and movement are putting user data and privacy at risk, even when the mobile apps are turned off

Some of the top-selling brands of fitness trackers that monitor wearers' heart rates, sleeping patterns and movement are putting user data and privacy at risk, according to a new report.

Researcher alters data, fakes 800 km walk

9 years ago
Duration 0:54
Citizen Lab researcher Andrew Hilts shows Dave Seglins how he can hack into his Jawbone fitness tracker data to fake his workout

Cybersecurity researchers at the University of Toronto examined eight popular wrist-worn trackers. They tested how they communicate with mobile apps and even upload and store a user's workout information on manufacturers' computer servers.

The researchers conclude that several models expose users to potential internet snoops and hackers even when devices aren't being used for exercise and mobile apps are turned off.
'That can be a bit invasive,' squash enthusiast Mike Maiola says after learning about possible privacy problems with his fitness tracker. (CBC)

"Fitness trackers are a fairly new technology and we don't have many regulations right now," said lead researcher Andrew Hilts, who is executive director of Open Effect and a research fellow at Citizen Lab at the U of T's Munk School of Global Affairs.

"We found cases where your data is being sent and you might not be aware, and there's no apparent reason why it's being sent," Hilts told CBC News.

The study examined popular models made by Garmin, Fitbit, Jawbone, Mio, Withings, Xiaomi, Basis and Apple.

Location tracking

Each of the devices uses Bluetooth technology that emits a signal and a unique ID that can be detected even when the tracker is not paired with a mobile phone.

This "can leave their wearers exposed to long -term tracking of their location," concludes the Open Effect / Citizen Lab research report released Tuesday.

To demonstrate, Hilts accompanied CBC News to Yorkdale Shopping Centre in suburban Toronto. He used his own mobile phone to scan for Bluetooth signals. He detected many devices, including a Garmin Vivoactive Smartwatch worn by squash enthusiast Mike Maiola.
Andrew Hilts, executive director of Open Effect and a research fellow at Citizen Lab at the University of Toronto's Munk School of Global Affairs, uncovered possible privacy and data-falsifying problems with some fitness trackers. (CBC)

"That can be a bit invasive," Maiola said with some surprise when CBC News showed him that his wristwatch fitness tracker could be detected even when he wasn't using it for a workout.

The researchers warn this exposes users to having their devices tracked and logged each time they enter a mall or another environment using sophisticated retail data scanning technology.

"I got it for fitness tracking, for golf and a whole host of things. And I wear it every day — it never comes off my wrist, really," says Maiola .

But now he's reconsidering.

This information "might change how I actually use the device and whether or not I have the Bluetooth functionality on."

The Apple Watch received high marks in the study for data security because it is the only model that randomizes a user's Bluetooth ID, making it impossible to track over the long term.

Bogus workout results

The Citizen Lab researchers conclude the Garmin app, called Connect, sends heart rate, workout and movement data across the internet without encryption.

"Eavesdroppers could easily look at their data," Hilts cautions.  

In addition, Hilts says other devices have vulnerabilities that could allow a user with a bit of technical know-how to tamper with their fitness information to log bogus workout results.

This is concerning, says Hilts, because fitness tracker data is increasingly being relied on as evidence in court, or as a basis for rewards or discounts tied to corporate wellness programs and health insurance policies.

"Potentially people could meddle with their data and say they are doing fitness events, fitness activities, even when they weren't," Hilts said.

Sitting at his computer, Hilts demonstrated for CBC News how he was able to send false "walking data" to his Jawbone UP 2 account to make it appear he walked one million steps on a recent Saturday. That's roughly 800 km, the distance from Toronto to Quebec City. 

Privacy study prompts re-think of tracker use

9 years ago
Duration 0:47
Squash player rethinks how he uses his fitness tracker after learning about possible privacy concerns.

"I could definitely fake my workout to astronomical levels," Hilts said.

"Let's say the person's insurance premiums are related to the amount of activity they report on their fitness tracker. All it takes is a few bad apples to exploit their device and inflate their step counts."

The manufacturer, Jawbone, told CBC News it is investigating the claims made in the research report and declined to answer questions.

Garmin, the maker of the device that transmits basic fitness data without encryption, declined requests for comment.

Other manufacturers issued statements (MioFitbit, Withings) expressing commitments to privacy, stressing data transmitted from apps does not disclose a user's name. They insist that using Bluetooth LE (Low Energy) is industry-standard and power-efficient despite potential privacy exposures.

Withings, maker of the Pulse O2 tracker, stated the company "does not believe any customer is at risk of having their location tracked over the long term."

However, Withings shut down the Share Dashboard social-media function on its Health Mate app for Android users after CBC News contacted the company about the findings.

"An updated version of the Android app will be available in the coming week and will feature enhanced encryption," said company spokesman Ian Twinn in an email.

Details of the 8 devices studied in the Open Effect / Citizen Lab research report

ABOUT THE AUTHOR

Dave Seglins

CBC Investigations

Dave Seglins is an investigative journalist whose recent work includes exposés on global ticket scalping, offshore tax avoidance and government surveillance. He covers a range of domestic and international issues, including rail safety, policing, government and corporate corruption.