Now trendy Fitbits are latest target for hackers
Attempt to steal health data
THEY are the must-have gadget for fitness fanatics and those who are trying to get more exercise.
But it has now emerged Fitbit bands could be abused by hackers to reduce health and life insurance premiums for the lazy.
An Edinburgh University study has found that vulnerabilities in the device’s security means data gained by a healthy person could be stolen.
The information, intercepted as the device communicates with its digital ‘cloud’ server, can then be used to create fake health records and issued to insurance companies to lower annual payments.
Security weak spots found in two of the bestselling devices, Fitbit Flex and the more expensive Fitbit One, could allow unauthorised sharing of personal data with third parties including online retailers and marketing agencies, the team found.
American company Fitbit yesterday announced the launch of a series of ‘patches’ to strengthen security in the wake of the findings.
Dr Paul Patras, of the university’s School of Informatics, who took part in the study, added: ‘Our work demonstrates security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development.
‘We welcome Fitbit’s receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services.’
Working with Germany’s Technische Universität Darmstadt and the University of Padua, Italy, the team of scientists analysed the Fitbit Flex and Fitbit One, which retail for £55 and £95 respectively.
The waterproof devices are worn night and day to track heart rate, calories burned and steps taken,
During the study researchers discovered a way of intercepting messages transmitted between fitness trackers and cloud servers – where data is sent for analysis. This allowed them to access personal information and create false activity records.
The team also managed to falsify the information stored on the devices by physically taking them apart.
The study names health and life insurance provider Vitality as one of the companies that could potentially be targeted by hackers.
It rewards Fitbit-wearing policy holders with ‘points’ for hitting a set amount of steps per day, periods of elevated heart rates between 30 to 60 minutes, and for burning calories. The more points they amass, the greater the discount.
Researchers have produced guidelines to help manufacturers remove similar weaknesses from future designs to ensure personal data is kept secure.
The findings will be presented at the International
‘Will roll out updates’
Symposium on Research in Attacks, Intrusions and Defences (RAID) in Atlanta, United States, on Monday.
The research was partfunded by the Scottish Informatics and Computer Science Alliance.
A spokesman for Fitbit said: ‘We are committed to protecting consumer privacy and keeping data safe. We are always looking for ways to strengthen the security of our devices, and in the upcoming days will start rolling out updates that improve device security, including ensuring encrypted communications for trackers launched prior to Surge.
‘The trust of our customers is paramount and we carefully design security measures for new products, continuously monitor for new threats, and diligently respond to identified issues.
‘We continue to value the research the security community does and their collaboration with us.’
A spokesman for Vitality said: ‘We ensure our members’ data is protected at all times.
‘We work with a range of partners to reward members for healthy behaviour.
‘The member then has a direct relationship with the partner or app, and it is at the member’s own discretion whether they choose to share their data with us via the manufacturer.’