There’s lots of hype about how the Internet of Things (IoT) will make our lives better, and much of it is true. For example, my house has two Internet-connected thermostats that I can use to see and change temperature settings— that way I can keep the house uncomfortably cool or warm when I’m not there and adjust the temperature remotely so it’s comfy when I get there. Fitness devices are definitely a well-established part of the IoT; companies such as BodyMedia and Garmin have been making devices that can connect, either on their own or through a PC or smartphone, to Internet services for a while. That market has been growing very rapidly over the last few years (some estimates put it as $3 billion in 2015), so some bright folks at Open Effect (funded in part by the Canadian government) decided to take a look at the security of IoT-connected fitness devices.
The results (full report here) are pretty horrifying:
- Many devices transmit their Bluetooth MAC IDs at all times that the device isn’t pried, and those IDs never change, so it’s easy to track someone through rudimentary Bluetooth beacon monitoring.
- The Jawbone and Withings fitness services don’t do a very good job of data validation; the researchers mention telling the Jawbone service that their test user walked 10,000,000,000 steps in one day, and the service happily accepted that. Worse still, they were able to inject fake data, generating records of “a person taking steps at a specific time when no such steps occurred.” Given that this data has been used in both criminal and civil trials in the US and Canada (see the extensive footnotes in section 1.4 of the report), this is pretty awful.
- Garmin and Withings don’t use HTTPS to protect data in transit. Given that I wear a Garmin watch and use a Withings scale daily, I have a problem with this. The researchers only studied the Garmin Connect app on iOS and Android, but if I had to bet, I’d guess that my Garmin watch (which has Wi-Fi) isn’t using HTTPS either.
Apart from calling Garmin to yell at them, I’m posting this mostly to point out yet another case where the rush to get things on the Internet may have unintended consequences. While my individual fitness data is not necessarily something I mind being visible, I don’t like that these manufacturers have been so sloppy. I can understand not wanting to implement HTTPS on a very low-power device but there’s no excuse not to implement it in a mobile app, for crying out loud.
Meanwhile, if I ever need to, now I know how to challenge any fitness-related data that may be introduced in court.