Apple Watch comes out ahead in study of fitness tracker privacy, security

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

When it comes to the privacy and security of user data, the Apple Watch and its accompanying software ecosystem are the most well-designed products in the wearable marketplace, a new study shows.

Bluetooth privacy protections — or lack thereof — were central the study's findings. Of the eight devices tested, Apple's wearable was the only one which regularly altered the MAC address broadcast by its Bluetooth radio.

Randomization of the MAC address on Bluetooth Low Energy products is accomplished by a BLE feature known as "LE Privacy." This is important, because unpaired Bluetooth products are designed to send "advertising" packets at regular intervals for discovery — that's how your iPhone knows that there's a nearby Apple Watch available for pairing.

Without this feature, researchers at Canadian privacy non-profit Open Effect and the University of Toronto note that it's relatively trivial to track the movements of individual users when their fitness bands are not actively paired with a device.

Fitbit blamed the "fragmented Android ecosystem" for the lack of LE Privacy support.

Contacted by the researchers about the fault, Fitbit noted that compatibility issues within the "fragmented Android ecosystem" prevent them from adding LE Privacy, despite hardware support in their products. Through corporate parent Intel, Basis noted that using the Peak while not paired to a smartphone was an edge case and did not commit to a fix.

None of the other companies in the test — Garmin, Jawbone, Mio, Withings, or Xiaomi — came back with "notable responses."

In addition to the Bluetooth issues, several companion software packages were found to be insecure. The researchers were variously able to intercept and read fitness data or write false data to disk.

The Garmin Connect app does not use HTTPs for connections, allowing a man-in-the-middle attack to read and write data. A similar attack was possible against Withings's Health Mate app on Android, while Jawbone's Up could allow users to send arbitrary fitness data to the cloud, an issue with potentially severe consequences:

"These findings concerning fitness tracker data integrity could call into question several real-world uses of fitness data," the researchers wrote. "Fitness tracking data has been introduced as evidence in court cases...meaning that at least some attorneys are relying upon generated fitness data as a possibly objective indicator of a person's activities at a given point in time. For Jawbone and Withings we created fraudulent fitness data which indicated that a passive measuring device, the fitness device, recorded a person taking steps at a specific time when no such steps occurred."