Fitness and Health Tracking Fails to Secure Your Personal Information, Says Symantec

The Internet of Things Growth Concerns Security Researchers

During the last two years, we have seen numerous reports about the Internet of Things fast growth, with smart thermostats, smart door locks, smart refrigerators, smart TVs, smart cars and smart homes. The major concern, however, is not the functionality, but security. Some major fishing attacks were found using hundreds of smart utilities, such as TVs, refrigerators and routers to send out malicious emails, which made security researchers raise alarm about the weakest link in a user's online security.

Symantec Scrutinizes Wearables and Health Apps

This time, fitness tracking gear and apps are in the spotlight. Security company Symantec published a whitepaper titled 'How Safe Is Your Quantified Self,' outlining the company's findings after scrutinizing fitness tracking industry. The results are unnerving in the least. Location tracking turns out to be easily hackable, while password management does not deploy encryption when transmitting. A lack or absence of privacy policies and major data leaking holes are just the tip of the iceberg in Symantec's findings.

The market of wearable tech is estimated to be $14 billion worth and rising, according to ABI Research. During the first half of 2014, health tracking and fitness apps market saw 62% growth, which is really rapid. By 2018, ABI expects more than 485 million wearable gadgets to be shipped worldwide. Apparently, the gadget manufacturers and apps developers desperately lag behind their own inventions security-wise. Let us take a brief look at Symantec findings.

Symantec scrutinized the entire fitness and health tracking segment, staring from wearables like Jawbone, ending with standalone apps that tap into a smartphone's inbuilt sensors, as well as simple and advanced apps that require users input their data manually.

How Sensitive Would You Rate That Data?

Symantec labels these apps and gadgets 'self-trackers' because that's what they are at their core, allowing users track their heart rate, pulse, breathing patterns, sleep cycles, menstrual periods, ovulation, basal temperature, sexual intercourse dates and frequency, emotional state, weight, cholesterol levels, food consumption, or alcohol addiction.

Now, multiply that load of personal information by two major security pillars - encryption, or the absence of whereof, and GPS tracking, or its loopholes. I would add the third one - most users never bother to create strong passwords for secondary apps like fitness tracking, or worse, use the same password for their online banking, personal email and weight loss management app.

Image Source: Symantec

GPS tracking area is especially susceptible to tracking, which does not even require any advanced skills in the field. Currently available wearable gadgets focused on fitness were found extremely vulnerable to location tracking, according to Symantec, particularly the gadgets that rely on Bluetooth LE.

Password protection is the next reason to worry - 20% of health and fitness tracking apps transmit user passwords without any encryption whatsoever, which brings up the user recklessness issue when using weak passwords, or the same passwords for multiple accounts.

Data siphoning is another troubling aspect. Symantec depicts one particular example of a health tracking app sharing very sensitive, or rather intimate, information:

'In one app that tracks sexual activity, the app makes specific requests to a certain analytics service URL at the start and end of each session. In its communication, the app passes a unique ID for the app instance and the app name itself as well as messages indicating start and stop of the tracked activity. Based on this information, the third party who receives the data would be able to know the sexual habits of the owner of the device.'

Unclear or absent privacy policy seems to haunt the entire industry, with staggering 48% of examined apps missing the corresponding section anywhere on their websites or in their apps' interfaces. It’s a question that remains to be cleared out whether they have those policies at all, or simply use their users' private data at the developers' discretion.

Where does it leave the end-user then?

The answer is - on a shaky ground, with some sensitive information exposed for anyone willing to take advantage of it. Symantec could not come up with any piece of advice, except for the traditional recommendations to use strong passwords and avoid unnecessary or excessive social sharing.

Personally, I would require criminal persecution for manufacturers and developers neglecting privacy and security of their consumers, or leaving users' private data in the open intentionally, with the aim of aggregation and re-selling to third parties, including advertising agencies. As of now, the accountability of tech industry players is ironically insignificant, and given the industry's influence and reach, the problem poses a major threat to consumers in particular, and society in general.

Sources: Symantec, IB Times, Cnet, Wired, Business Spectator.