Is your gym exposing more than your abs?
Stay in good cyber shape by protecting personal data during your workout
By Adam Levin, Special to ThirdCertainty
When Apple announced a serious hardware flaw last week, and the critical security patch that addressed it, my first thought was perhaps arbitrary: “That exploit would work at the gym.” My next thought: What else would?
The discovery of a zero-day exploit affecting hardware—specifically a Wi-Fi chip embedded in the main processors of Apple devices—was serious news. The vulnerability makes it possible for a hacker within range to “execute arbitrary code on the Wi-Fi chip.” A similar vulnerability was announced and patched on the Android platform earlier in the month.
The gym often is seen as a safe space to burn off steam, clear your head and boost your heart rate, but it also can be dangerous. The gym stores a lot of personal information and is filled with strangers in close proximity to one another. Because of this, it’s important to think about more than building physical strength — building cyber strength is crucial to making yourself a harder target to hit.
The gym often is seen as a safe space to burn off steam, clear your head and boost your heart rate but it also can be dangerous. The gym stores a lot of personal information and is filled with strangers in close proximity to one another. Because of this, it’s important to think about more than building physical strength — building cyber strength is crucial to making yourself a harder target to hit.
Here are a few things to make your next trip to the gym as scam-proof as possible.
How is your personal data stored?
Your gym can require and request a ton of personal information: your Social Security number, driver’s license number, credit and banking information, your home address and, in some cases, your medical or health information. In the hands of the wrong person, this information can lead to identity theft and major breach of privacy.
Your job is to reduce your attackable surface and watch out for scams.
The first question you should ask is how your information is stored, and who has access to it. Don’t accept a vague answer unless it is the correct answer. “I’m not sure,” might indicate an ill-informed point of contact at the front desk or, worse, a total lack of data security. Don’t be surprised if everyone who punches the clock at your gym has access to your information.
Because of this, it’s important to think about what kind of information your gym has and why they need it. Try to limit what information they get, even if it is “required.” While the gym needs to identify you, they don’t need much data to do that. It’s your job to give them the bare minimum they need.
Be wary of charging your devices at the gym. Simply plugging your phone into the wall can make you vulnerable to juice jacking, a cyber attack where a charging port does double duty as a data connection that either steals user data or downloads malware to steal it at a later time.
Though it seems unlikely, if your gym’s owner isn’t up to date with scams, the gym may unwittingly allow a hacker to install a data-stealing kiosk for members to use.
Always pay attention to phone pop-ups. Both Apple and Android now have stopgaps to avoid juice jacking exploits, but the warning screen can be distractedly tapped away and ignored, thus opening the door to an intruder.
If you want to reduce the risks while charging your devices at the gym, look into USB cords without data transporting cables. You also can make juice jacking impossible by using the AC adapter your device came with or a back-up battery device.
Here’s another way your devices can leave you vulnerable to attack. Signing on to your gym’s public Wi-Fi can be risky—such is the case whenever you log on to a public Wi-Fi network. Another thing to remember: Hackers may not always ask for the gym owner’s permission to set up the Wi-Fi network that’s labeled with the gym’s name.
In addition to the fake Wi-Fi setup, there’s the threat of a man-in-the-middle attack. This attack can secretly alter the communication between two parties and even lead to eavesdropping by an unknown third party.
If you are going to log on to the Wi-Fi at your gym, always look for HTTPS in the address and the green lock near the URL of the sites you visit, and think long and hard before visiting destinations like banks, credit cards and the like that require or provide access to sensitive information.
Remember, if you ever have any suspicion your information has been compromised, always contact your credit card providers ASAP. It’s also helpful to check your credit for any sudden changes (You can get a free credit report snapshot at Credit.com) While knowing the latest threats out there and using security updates the moment they are issued is great and absolutely necessary, it’s important to bear in mind that there is no anti-fraud silver bullet. Gyms are neither better nor worse than anywhere else when it comes to data security practices, but they are definitely places where you can be harmed.
Full disclosure: CyberScout sponsors ThirdCertainty. This story originated as an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.