Fitness tracking goes under the security spotlig

ht
The wearable market is currently estimated be worth around $14 bi
llion and it's on the way up. According to AB Research, by !1" o#er 4
"$ million wearable de#ices will ship each year.
%itness trackers are &ust one part o' the market, but they're a high pro
(le one and it's little surprise that they'#e 'allen under )ymantec's sec
urity microscope.
)ymantec's whitepaper, *+ow sa'e is your ,uanti(ed-sel' ./0%1*, looks
at the whole (tness tracking mo#ement, 'rom dedicated de#ices such
as the %itbit or the 2awbone, to apps that use a smartphone's inbuilt s
ensors, and through to programs that re,uire a user to input in'ormati
on manually.
The report paints a picture o' a new market segment that is in need o'
better in'ormation protection.
)ymantec notes that the sort o' in'ormation being collected by what it
terms 'sel'-trackers' di3ers signi(cantly 'rom *traditional* personal in'
ormation, such as name, date o' birth or address. )el'-tracking in'orm
ation can be as #aried as weight, B/4, sleep times, location data, or e
#en things as personal as se5ual acti#ity, emotional state, or drinking
habits.
6n terms o' security issues, &ust some o' the troublesome areas that re
port highlights include7
8ulnerable 9ocation Tracking7 )ymantec 'ound that all the current we
arable (tness models were #ulnerable to location tracking, but says th
at those using Bluetooth 9: are particularly at risk.
The company used the Raspberry /i /; to build a number o' cheap Bl
uetooth scanners disco#ering that7
By placing a number o' scanning de#ices at #arious locations, it is pos
sible to scan and locate a de#ice by identi'ying the hardware address
and measuring the relati#e signal strengths between scanners and the
de#ice, it is possible to get an appro5imate (5 on the physical location
o' the de#ice.
/oor password protection7 A staggering ! percent o' apps transmitte
d their password data *in the clear* -- that is with no encryption at all.
<i#en the e#idence that many people use the same or similar passwor
ds across multiple ser#ices, this is cause 'or concern.
9ack o' pri#acy policy7 =nly $ percent o' the apps that )ymantec e5a
mined made their pri#acy policies a#ailable to users.
>nintentional data leakage7 )ymantec's report gi#es a rather speci(c
e5ample o' one app that shares some rather personal in'ormation7
6n one app that tracks se5ual acti#ity, the app makes speci(c re,uests
to a certain analytics ser#ice >R9 at the start and end o' each session.
6n its communication, the app passes a uni,ue 60 'or the app instance
and the app name itsel' as well as messages indicating start and stop
o' the tracked acti#ity. Based on this in'ormation, the third party who
recei#es the data would be able to know the se5ual habits o' the owne
r o' the de#ice, granted that the real identity o' the de#ice owner may
not be associated with the 60.
)adly, )ymantec can't o3er too many recommendations to users o' tra
cking apps and de#ices, other than the usual *use strong passwords* a
nd *be care'ul about social sharing*.
6nstead, the call seems more (rmly in the court o' the app de#elopers
and de#ice manu'acturers. )ecure session management, 'ollowing the
best practices 'or passwords and better protocols 'or transmission o' s
ecure data are &ust some o' the recommendations.
0ata 'rom AB Research says that in the (rst si5 months o' !14, there
was a ? percent growth in the use o' health and (tness apps. This is
a market e5periencing some #ery rapid growth, and unless the de#s a
nd manu'acturers &ump on board soon we don't think this is the last ti
me we'll be hearing about security issues with (tness trackersTwitter.
https7@@twitter.com@AB;9B==C 1 plurk .http7@@www.plurk.com@searc
hkeywords 1 linkedincn.linkedin.com@pub@-@D4@1!a@bE!@:di
t 18k .http7@@#k.com@chinateach 1reddit. http7@@www.reddit.com@user@e5
tensions1@ 1weibo .http7@@weibo.com@searchkeywords 1