Apple Watch comes out ahead in study of fitness tracker privacy, security

Posted:
in Apple Watch edited February 2016
When it comes to the privacy and security of user data, the Apple Watch and its accompanying software ecosystem are the most well-designed products in the wearable marketplace, a new study shows.




Bluetooth privacy protections -- or lack thereof -- were central the study's findings. Of the eight devices tested, Apple's wearable was the only one which regularly altered the MAC address broadcast by its Bluetooth radio.

Randomization of the MAC address on Bluetooth Low Energy products is accomplished by a BLE feature known as "LE Privacy." This is important, because unpaired Bluetooth products are designed to send "advertising" packets at regular intervals for discovery -- that's how your iPhone knows that there's a nearby Apple Watch available for pairing.

Without this feature, researchers at Canadian privacy non-profit Open Effect and the University of Toronto note that it's relatively trivial to track the movements of individual users when their fitness bands are not actively paired with a device.
Fitbit blamed the "fragmented Android ecosystem" for the lack of LE Privacy support.
Contacted by the researchers about the fault, Fitbit noted that compatibility issues within the "fragmented Android ecosystem" prevent them from adding LE Privacy, despite hardware support in their products. Through corporate parent Intel, Basis noted that using the Peak while not paired to a smartphone was an edge case and did not commit to a fix.

None of the other companies in the test -- Garmin, Jawbone, Mio, Withings, or Xiaomi -- came back with "notable responses."

In addition to the Bluetooth issues, several companion software packages were found to be insecure. The researchers were variously able to intercept and read fitness data or write false data to disk.

The Garmin Connect app does not use HTTPs for connections, allowing a man-in-the-middle attack to read and write data. A similar attack was possible against Withings's Health Mate app on Android, while Jawbone's Up could allow users to send arbitrary fitness data to the cloud, an issue with potentially severe consequences:

"These findings concerning fitness tracker data integrity could call into question several real-world uses of fitness data," the researchers wrote. "Fitness tracking data has been introduced as evidence in court cases...meaning that at least some attorneys are relying upon generated fitness data as a possibly objective indicator of a person's activities at a given point in time. For Jawbone and Withings we created fraudulent fitness data which indicated that a passive measuring device, the fitness device, recorded a person taking steps at a specific time when no such steps occurred."

Comments

  • Reply 1 of 7
    lkrupplkrupp Posts: 10,557member

    Without this feature, researchers at Canadian privacy non-profit Open Effect and the University of Toronto note that it's relatively trivial to track the movements of individual users when their fitness bands are not actively paired with a device.
    Fitbit blamed the "fragmented Android ecosystem" for the lack of LE Privacy support.
    Contacted by the researchers about the fault, Fitbit noted that compatibility issues within the "fragmented Android ecosystem" prevent them from adding LE Privacy, despite hardware support in their products. Through corporate parent Intel, Basis noted that using the Peak while not paired to a smartphone was an edge case and did not commit to a fix.
    But since Android rules the world nobody cares about this and Apple is Doomed™. Millions upon millions of Android users walking around with security flaws that won’t or can’t be fixed because their devices don’t get updates. But that’s okay because Android dominates and not of word if this ever makes it into tech news reports. All we hear about is Apple’s projected growth slowdown. And let some German nerds figure out how to bypass TouchID with expensive high resolution printers and it’s gloom and doom for Apple security.
    edited February 2016 nolamacguylatifbpredgeminipajbdragonmagman1979
  • Reply 2 of 7
    calicali Posts: 3,494member
    I wonder if any tech sites are reporting this? Probably not.

    This is why I come to Apple Insider a lot.
    latifbpjbdragonmagman1979
  • Reply 3 of 7
    larryalarrya Posts: 604member
    So, if my device is paired, involuntary tracking is a non-issue. And if I have a Garmin device, someone could add steps or activities.  Yawn.  

    I still choose GPS and waterproofing and battery life. 
  • Reply 4 of 7
    tjwolftjwolf Posts: 424member
    larrya said:
    So, if my device is paired, involuntary tracking is a non-issue. And if I have a Garmin device, someone could add steps or activities.  Yawn.  

    I still choose GPS and waterproofing and battery life. 
    Or heart rate (I don't actually know if your Garmin has that).  In any event, as people become dependent on accurate heart rate measurements, getting that data messed with by someone is hardly a yawn.

    And, of course, some have more capable fitness tracking devices - so there's not just steps and activities.
    jbdragon
  • Reply 5 of 7
    512ke512ke Posts: 782member
    Great. But I agree that GPS, battery life, and utility independent of a phone are more important drivers of sales. 
  • Reply 6 of 7
    nolamacguynolamacguy Posts: 4,758member
    512ke said:
    Great. But I agree that GPS, battery life, and utility independent of a phone are more important drivers of sales. 
    the facts seem to contradict your claim -- there are GPS devices and trackers w/ longer battery, yet AW has greater sales.

    myself, i have over 40% battery left when i slap my watch on its bedside charger when i go to sleep at night, so thats less of an issue. GPS and independent data radio would be nice, of course, but won't happen until there are fundamental improvements to the same old battery tech problem the entire industry has been struggling with for years.
    redgeminipajbdragon
  • Reply 7 of 7
    jbdragonjbdragon Posts: 2,301member
    512ke said:
    Great. But I agree that GPS, battery life, and utility independent of a phone are more important drivers of sales. 
    the facts seem to contradict your claim -- there are GPS devices and trackers w/ longer battery, yet AW has greater sales.

    myself, i have over 40% battery left when i slap my watch on its bedside charger when i go to sleep at night, so thats less of an issue. GPS and independent data radio would be nice, of course, but won't happen until there are fundamental improvements to the same old battery tech problem the entire industry has been struggling with for years.
    I generally have over 50% left at the end of a day. On my days off, It can be even higher. I'm sure though that longer battery life means 5+ days without needing a charge or longer. I don't see the problem myself. I don't want to be wearing anything when I'm sleeping, so the watch comes off anyway, no matter what it is. It takes seconds to dock my iPhone and throw my Apple Watch onto it's charging stand. In the morning, it goes in in a matter of seconds. I really don't think it's a issue. If Battery life is so important you need days, go get a Pebble, but it only does a fraction of the Apple watch with a much crappier screen and look. One of the things I really love about the Apple Watch which I think has really turned into a huge thing is Bands. Swapping out your band for something else in a matter of seconds and really changing the look. That's really never been a thing on watches in the past. You buy your watch and the band that was on it was more then likely the band it will always have unless it breaks. You don't go swapping bands all the time. Maybe own a few different watches and that's how to changed your look.
Sign In or Register to comment.