Bluetooth privacy protections were central as part the study’s findings. Of the eight devices tested, Apple’s wearable was the only one which regularly altered the MAC address broadcast by its Bluetooth radio.
Randomization of the MAC address on Bluetooth Low Energy products is accomplished by a BLE feature known as “LE Privacy.” This is important, because unpaired Bluetooth products are designed to send packets at regular intervals for discovery (sometimes called “advertising packets”). This is how your iPhone knows that there is an Apple Watch nearby for pairing.
Without this feature, researchers at Canadian privacy non-profit Open Effect and the University of Toronto note that it’s relatively trivial to track the movements of individual users when their fitness bands are not actively paired with a device.
Contacted by the researchers about the fault, Fitbit noted that compatibility issues within the “fragmented Android ecosystem” prevent them from adding LE Privacy. The issue still exists even if the Android device has the appropriate hardware support.
In addition to the Bluetooth issues, several companion software packages were found to be insecure. The researchers were variously able to intercept and read fitness data or write false data to disk. The Garmin Connect app does not use HTTPs for connections, allowing a man-in-the-middle attack to read and write data.
A similar attack was possible against Withings’s Health Mate app on Android, while Jawbone’s Up could allow users to send arbitrary fitness data to the cloud, an issue with potentially severe consequences. In the study, the researchers wrote:
“These findings concerning fitness tracker data integrity could call into question several real-world uses of fitness data. Fitness tracking data has been introduced as evidence in court cases…meaning that at least some attorneys are relying upon generated fitness data as a possibly objective indicator of a person’s activities at a given point in time. For Jawbone and Withings we created fraudulent fitness data which indicated that a passive measuring device, the fitness device, recorded a person taking steps at a specific time when no such steps occurred.”
Wearables have become some of the most popular Internet connected devices on the market; this has also provided researchers with a testing ground for a number of consumer security and privacy issues.
[via Toronto Star]