Your fitness tracking device could be open to hacking

Users constantly feed personal information into their devices, which is then stored on servers, making it vulnerable to cyber attacks.

Sales of fitness trackers will surge this year. Below, data from a device displayed on a smartphone. Richard Drew / AP
Powered by automated translation

Wearable fitness trackers are flying off the shelves, prompting warnings by technology experts about their susceptibility to cyber attacks.

The International Data Corporation (IDC) estimates about 72.1 million wearable devices such as the Apple Watch, Samsung Gear, Fitbit, Jawbone and Nike Fuel will be shipped this year, up from 26.4 million units in 2014. According to their report, the wearables category could increase to 155.7 million units by 2019. Experts in the UAE warn that with the growing appeal for wearables comes a very real danger of hacking.

“There are several tracking devices out there in the market and not all them are designed with proper security measures in places,” says Mohamed Djenane, security specialist at security software company ESET Middle East.

“Even some of the most trusted devices report the data to a command-and-control server, something like a back door that is vulnerable to attacks. We’ve recently witnessed that with a very legitimate vendor, as well.”

Users constantly feed personal information into their devices, which is then stored on servers, making it vulnerable to cyber attacks. “With obscure brands you really don’t have any idea about what is being done with your data,” says Djenane. “You have set up a profile with your full name, address, telephone numbers, your health status and enabled the GPS, giving the hacker important information.”

Most devices need to be synched with apps on smartphones and laptops, leading to further threats. “Users also need to be careful about the apps they install,” says Djenane. “They may have back doors.”

Djenane’s caution is echoed in a report by the security firm Symantec in its study “How Safe is Your Quantified Self”. Experts believe that all wearable activity-tracking devices, including those from leading brands, are vulnerable to location tracking. Kevin Sebastian, a 25-year-old media consultant in Dubai who owns a Fitbit and Android Wear, says he is aware of the danger of location tracking and limits the information he shares online now.

“People like to share their regular run routes and progress on social media, which appears on a map. I used to do it, too. This shows up as pins on a Google map and it is a privacy concern.”

Though he believes it isn’t a cause for alarm in a relatively safe country such as the UAE, “there should be a general awareness of how people use real-time tracking and share routes”.

Symantec notes that while wearables help keep track of fitness goals, the problem begins when it happens without consent, such as through Bluetooth Low Energy interface or Wi-Fi.

And while Djenane’s advice is to purchase devices that allow users to disable the synching option, Symantec found that 52 per cent of the apps examined did not make available privacy policies that answer important questions: Who collects the data? What is being collected? How long will it be stored?

Omar Abu Omar, a 28-year-old digital-marketing professional in Dubai, uses a Garmin 920XT to track a multitude of activities, but says he doesn’t have concerns when it comes to his personal information.

“I am very careful with what I put online,” says Omar. “I am quite active, but I would not post something I don’t feel comfortable sharing. I share selectively, and when I do, It’s usually a general post.”

Djenane agrees that prudence is necessary to stay safe, especially when creating profiles. “Do not reveal your true identity when creating profiles,” he says. “If it is not required, don’t put your name or mobile number.”

He also suggests researching the device’s mobile app.

“See what the app is and what privileges will be required from your devices. I don’t see the need for such privileges as calendar access and contact-book access. My advice would be to stay away from such wearables.”