Wearable fitness trackers collect a lot of personal information about our activities, but only one is keeping that data away from anyone who wants to intercept it: Apple Watch. That's the finding from a study conducted by the University of Toronto's Citizen Lab at the Munk School of Global Affairs.
Your fitness tracker may be leaking personal data
The study, titled "Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security," looked at security factors related to the data fitness trackers broadcast over Bluetooth connections. They looked at the Apple Watch, along with fitness trackers from Fitbit, Garmin, Jawbone, Basis, Mio, Withings, and Xiaomi.
What they found was that all of the devices tested—except for Apple Watch—broadcast a persistent MAC address to identify themselves, ultimately letting anyone with enough tech savvy to download at Bluetooth data sniffer app a way to identify individual fitness trackers. With that information in hand, they can potentially intercept and log the same data that syncs with your smartphone.
Most of the devices tested transmitted data in a way that could be easily intercepted, and in some cases falsified data could be sent to the companion smartphone app. The study also showed that the data sent from the smartphone to online services could be intercepted for all devices except the Apple Watch and the Basis Peak. In all of the devices other than Apple Watch tested in the study weren't using existing Bluetooth protocols designed to prevent someone from intercepting wireless transmissions.
That sounds pretty ominous, and to a degree it is. A stalker, for example, could wait in a coffee shop every day to surreptitiously capture the data from someone's fitness tracker, and if it includes location information, they potentially could learn where someone works or lives. That's not a likely scenario, but is a possibility in some cases.
The fix is for fitness tracker makers to incorporate Bluetooth privacy standards, and to encrypt any data sent between devices and smartphones, as well as the data passed on to Web-based servers. Apple is already doing that, and Intel's Basis is at least part way there.
Fitbit and Basis are both reviewing the report's findings and are looking at ways to improve device security. The other companies included in the study may be doing so, too, but that information wasn't available.
It isn't likely that someone will be actively looking to capture your fitness tracker data, but that doesn't mean device makers shouldn't take the possibility seriously. Until they're all on board, it looks like the only option for anyone concerned about fitness tracker data privacy is Apple Watch.