Fitness trackers can be dangerous to the health of your data

As wearable devices give hackers access to personal information, consumers must demand more security

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Wear­able devices—including fit­ness trackers—will be the top fit­ness trend of 2017, dri­ving a rapid­ly grow­ing num­ber of con­sumers to col­lect, record and ana­lyze their health-relat­ed met­rics, accord­ing to an annu­al trend fore­cast by the Amer­i­can Col­lege of Sports Medicine.

But cyber crim­i­nals are learn­ing to weaponize the Inter­net of Things on a new, mas­sive scale, and like most con­nect­ed con­sumer devices, fit­ness track­ers are not ter­ri­bly secure.

Relat­ed: As the Inter­net of Things expands, so do the risks

Right now, fit­ness track­ers are a small cog in the IoT machine. But what could hap­pen if hun­dreds or thou­sands of employ­ees used these eas­i­ly infect­ed devices that fol­low them every­where they go, inside and out­side of the net­work perimeter?

ABI Research esti­mates that more than 44 mil­lion wear­able devices will be part of cor­po­rate well­ness plans over the next five years.

Geoff Webb, of glob­al soft­ware com­pa­ny Micro Focus, points out that the rapid­ly expand­ing space of con­nect­ed devices rais­es con­cerns that are yet to be ful­ly understood.

One is the capac­i­ty of these devices to infect one anoth­er and then form ad-hoc net­works that are not con­nect­ed to the inter­net yet allow them to talk to one another.

Once they do that, it’s real­ly hard to see what they’re up to because they’re not com­mu­ni­cat­ing through the chan­nels that we spent a lot of time, mon­ey and effort to secure,” he says.

Anoth­er weapon in hack­ers’ arsenal

As wear­ables move around, the virus could spread as eas­i­ly as the flu.

It could start an infec­tion process that’s out of con­trol,” Webb says. “If you have a pop­u­la­tion of thou­sands of these things, you can nev­er catch up again, no mat­ter how many times you send an update.”

Last year, researchers at Fortinet dis­cov­ered a the­o­ret­i­cal hack in Fit­bit track­ers through the Blue­tooth port. Although a hack­er would have had to be in prox­im­i­ty for 10 sec­onds to infect the device with mal­ware, once the device con­nect­ed to a com­put­er, it could autonomous­ly car­ry out the desired action, like cre­at­ing a back­door or trojan.

Chris Clark, Synopsys principal security engineer for global solutions
Chris Clark, Syn­op­sys prin­ci­pal secu­ri­ty engi­neer for glob­al solutions

With this kind of vul­ner­a­bil­i­ty, all it takes to intro­duce mal­ware into the cor­po­rate net­work is one employ­ee plug­ging the device into a com­put­er USB for charg­ing, says Chris Clark, prin­ci­pal secu­ri­ty engi­neer for glob­al solu­tions at Syn­op­sys, which pro­vides soft­ware testing.

The poten­tial for some of this small­ware to infect even sys­tems that are well-pro­tect­ed with anti-mal­ware and anti-virus tools is still very high,” he says.

In a high­ly tar­get­ed attack, a fit­ness track­er could be even hand­i­er: Every person’s heart­beat is unique.

The heart­beat changes over time, but a (fit­ness track­er) is con­stant­ly track­ing it so it cre­ates a dig­i­tal sig­na­ture of you,” says Michael Ebert, part­ner and cyber prac­tice leader at con­sul­tan­cy KPMG. “So you could authen­ti­cate a per­son walk­ing with­in the perime­ter just based on the tracker.”

Blur­ring lines of med­ical data

Not only can they be eas­i­ly hacked, but fit­ness track­ers are not reg­u­lat­ed in the same way as med­ical devices that fall under the Food and Drug Administration—which is start­ing to focus on the prob­lem. Last year, the FDA issued cyber­se­cu­ri­ty guid­ance for man­u­fac­tur­ers of new and exist­ing devices.

Nor are the track­ers sub­ject to con­sumer pro­tec­tions under HIPAA, despite col­lect­ing per­son­al health data. That means con­sumers don’t have much con­trol over how their data is used, and man­u­fac­tur­ers are not required to noti­fy them in the event of a data breach.

The wear­ables fol­low you around every­where so it becomes not just a secu­ri­ty issue, but also a pri­va­cy issue,” says Craig Spie­zle, exec­u­tive direc­tor for the non­prof­it Online Trust Alliance. Last year, OTA estab­lished the IoT Trust­wor­thy Group, a coali­tion for devel­op­ing secu­ri­ty and pri­va­cy con­trols for con­nect­ed devices.

There are many unan­swered ques­tions, Spie­zle says. For exam­ple, who owns the data? What hap­pens to the infor­ma­tion if the indi­vid­ual deletes the account? What are the lim­i­ta­tions on the data storage?

This tran­si­tion to qua­si-med­ical devices will con­tin­ue, as more physi­cians are “pre­scrib­ing” the trackers.

Fit­bit and those devices offer tremen­dous advan­tage to qual­i­ty care and to con­tin­u­ous mon­i­tor­ing and mea­sur­ing your per­for­mance,” Ebert says.

But that means more per­son­al data gath­ered about indi­vid­u­als by mul­ti­ple entities.

It’s adding anoth­er dimen­sion and risk foot­print as they’re col­lect­ing more data … so there will (more) breach­es,” Spie­zle says.

The OTA just released its sec­ond ver­sion of the IoT Trust Frame­work, which the orga­ni­za­tion hopes the IoT indus­try will vol­un­tar­i­ly adopt. Among the rec­om­mend­ed prin­ci­ples are full encryp­tion, auto­mat­ed soft­ware and firmware patch­es and strong authentication.

But secu­ri­ty fea­tures such as encryp­tion are prob­lem­at­ic for con­nect­ed devices because addi­tion­al fea­tures impact func­tion­al­i­ty, speed and bat­tery life, as well as cost.

A trendy incentive

More com­pact stor­age, faster pro­cess­ing pow­er and oth­er improve­ments are mak­ing secu­ri­ty eas­i­er to implement—and man­u­fac­tur­ers typ­i­cal­ly respond to mar­ket pres­sure. What may incen­tivize man­u­fac­tur­ers, iron­i­cal­ly, is that fit­ness craze that employ­ers are tap­ping into.

Cor­po­rate well­ness pro­grams help employ­ers cut their health insur­ance costs. And accord­ing to ABI Research, ear­ly data sug­gests that wear­able devices great­ly increase par­tic­i­pa­tion in these programs—from 20 per­cent to 70 per­cent or more.

As man­u­fac­tur­ers like Fit­bit become more inte­grat­ed into cor­po­rate infra­struc­ture through these employ­ee health care plans, they’re under pres­sure to improve device secu­ri­ty, Webb says.

Demand from the cus­tomer base is some­thing most orga­ni­za­tions respond to,” he says. “If you can show (employ­ers) that you have a secure device they can bring into the orga­ni­za­tion with some degree of con­fi­dence, that would be a big­ger incen­tive than regulation.”

More sto­ries relat­ed to IoT security:
Secu­ri­ty of the Inter­net of Things takes on new urgency
Why more attacks lever­ag­ing the Inter­net of Things are inevitable
Health­care data at risk: Inter­net of Things facil­i­tates health­care data breaches

Posted in Data Breach, Data Privacy, Featured Story