2015 was certainly the year of an unscrupulous event–what wearable enthusiasts had been predicting would happen for years has actually happened. Sales of wearable technology devices soared through the roof as Apple and other manufacturers jumped on the bandwagon. One manufacturer who has been leading the wearable revolution has been Fitbit, who have been producing fitness trackers since the company was founded in 2007.
Unfortunately, one of the most well-known faces of the wearable technology revolution is also often used as a good example of wearable security vulnerabilities. In 2015, a vulnerability in the Fitbit software which allowed people to allegedly hack into the Fitbit Flex within 10 seconds was made public. Fitbit disputed that this was the case, but recently more cases of Fitbit hacking have come to light.
Reports from Buzzfeed news found that cyber criminals hacked into Fitbit user accounts. This gave the hackers full access to data such as when the users went to sleep and when they went for a run. Once they were logged into the accounts, the hackers changed the usernames and ordered a replacement Fitbit from the company under the warranty.
It is not believed that any of the usernames and passwords used by the hackers came from a breach of Fitbit’s systems. The passwords may have been guessed or brute-forced (which means that numerous combinations would have been attempted until a correct one was found). They may also have been purchased from criminal hackers who obtained them using a phishing attack or by installing keylogging software on a victim’s computer.
Although this attack was not carried out on the Fitbit devices themselves, it does demonstrate how vulnerable they are to data breaches. The data on a Fitbit device needs to be transferred onto a different software system in order to be viewed by the user. If this second system is not appropriately secured then it does not matter how secure the device is on its own. As many wearable devices carry very sensitive information, like GPS tracking which can tell people when a user is at home, this kind of data breach could have serious consequences.
Another issue for wearable fitness trackers such as Fitbit is that they are intended to be used for medical purposes. If these devices are not fully secure then they will not be trusted enough by users to reach their full potential. It appears as though Fitbit are set to introduce two-factor authentication in order to ensure that this does not happen again. This will be a good step forward in establishing the trust needed for the devices to be used in this manner.
Although many would consider that Fitbit should have implemented two-factor authentication when the system was first released in line with the principles of privacy by design (PbD). PbD is a set of principles which are put in place specifically to avoid breaches like this one.
According to PbD, it isn’t right for a device to harvest personal data and then expect the users to do the work of protecting the data. Companies like Fitbit should ensure that all of the data is secure by default, before any kind of security breach happens.
Unfortunately, as users are currently expected to do some of the work of protecting the data, it is important to be careful when choosing a wearable device. Here is a four-step plan for keeping your data safe when choosing and using a wearable device:
Wearable manufacturers and vendors need to be well prepared in the event that something like this happens. Fitbit were criticized across social media for their response to users affected by this security breach, so it is important to get your response right – first time.
It is more important to remember that it is much better to avoid a security breach than to respond to one well. The FTC and FDA are monitoring the situation of the privacy of wearable devices very carefully. It will not just be users who are asking questions in the case of another security breach, but also the authorities!