A study has shown that the security of wearables could be improved to help protect users’ data.
Researchers from the University of Edinburgh looked at two products by Fitbit and found vulnerabilities that could threaten the privacy and security of the data the wearables record.
Hackers could exploit weak spots in the devices’ communication procedures, allowing for unauthorised sharing of personal data with third parties, including online retailers and marketing agencies.
By exploiting the devices’ weaknesses, fake health records could potentially be created, allowing fraudsters to obtain cheaper cover from insurers that reward physical activity with lower premiums.
The team at the University of Edinburgh found a way to intercept messages that had been transmitted between the fitness trackers and cloud servers. By intercepting these messages the researchers could then access personal information and create false activity records.
The end-to-end encryption on the devices, which keeps data secure, was also compromised when the researchers dismantled the devices and modified the information stored inside, allowing them to gain access to stored data.
The team have produced guidelines to help manufactures remove similar vulnerabilities from future designs to help ensure that personal data is secure.
Fitbit responded to the findings by developing software patches to improve the privacy and security of its devices.
Dr Paul Patras, of the University of Edinburgh’s School of Informatics, said: “Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development. We welcome Fitbit’s receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services.”
Dan Lyon, principal consultant at Synopsys, provided a comment to DHA, emphasising the need for physical access to the devices.
He said: “Medical conditions, such as movement disorders, are currently being studied for early indicators related to physical activity through commercially available wearable devices. It may be possible to identify that people have movement disorders such as Parkinson’s disease through specific profiles or changes in things like a person’s walking gait or arm movements.
If this kind of analysis can be performed now or anytime in the future, it could be used to determine a person has a specific medical condition. The impact of this to the individual could be raised healthcare premiums or even denied coverage due to preexisting conditions. And once the data is in the hands of an organisation, it could potentially be sold for other purposes.
While this kind of big data potential is still in its infancy, the risks are real and need to be understood. The wearables and their data transfer, storage and analysis systems need to be designed to minimise the risks. Organisations need to address security and privacy through a comprehensive effort to build security into the entire development process. The Fitbit example highlights one element of good design in that they are able to release software updates to address the issue. The ability to deliver secure software updates is a crucial design element that many devices do not have.”