Fitbit hack: Wearable firm pushing out security updates following cybersecurity warnings
University team able to access personal data and create false activity records.
Fitbit is set to roll out a series of security updates after a team of researchers from the University of Edinburgh uncovered evidence users' personal data was at risk from vulnerabilities in at least two popular models of the wearable technology.
Flaws in the Fitbit One and Fitbit Flex – which track users' heart rates, steps taken and daily calories burned – meant that data could be intercepted as it was being sent between the fitness trackers and the firm's cloud servers, where such information is sent for analysis.
Researchers said that exploiting gaps in security could "allow unauthorised sharing of personal data with third parties", such as marketing agencies or retailers.
The team was able to bypass the Fitbits to access personal information and create false activity records.
The devices' encryption could be circumvented completely, but the team noted this could only be done by "dismantling devices and modifying information."
"Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development," said Dr Paul Patras of the University's School of Informatics.
He added: "We welcome Fitbit's receptiveness to our findings.
"[Its] professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services."
In response to the findings, Fitbit is pushing out patches to improve the security of its devices.
A spokesperson told IBTimes UK: "As the leading wearables brand, we are committed to protecting consumer privacy and keeping data safe.
"All devices since the Fitbit Surge was launched in 2015 have implemented end-to-end encryption.
"We are always looking for ways to strengthen the security of our devices, and in the upcoming days will start rolling out updates that improve device security, including ensuring encrypted communications for trackers launched prior to Surge.
"We are also proud to be recognised by these researchers for employing the most effective security mechanisms in our products when compared to other vendors.
"The trust of our customers is paramount and we carefully design security measures for new products, continuously monitor for new threats, and diligently respond to identified issues. We continue to value the research the security community does."
The full research findings will reportedly be presented at the International Symposium on Research in Attacks (RAID) on 18-20 September. The research was carried out in collaboration with Technische Universitat Darmstadt and the University of Padua.
In mid-March this year, a report released by the UK's security services warned that consumer devices – including fitness trackers and smart-TVs – will soon become a key hacking target.
It's hardly the Equifax hack, but all personal data has value to cybercriminals.
"Connected consumer devices will contain huge amounts of personal data, which could be targeted by criminals seeking to commit extortion or fraud using tailored malware," stated the annual threat report co-authored by the National Crime Agency, or NCA.
"This data may not be inherently valuable, and might not be sold on criminal forums but the device and data will be sufficiently valuable to the victim that they will be willing to pay for it."
© Copyright IBTimes 2024. All rights reserved.