New study finds Fitbits can be hacked, data stolen

A new study suggests that at least two types of wristband made by Fitbit can be hacked and have their data stolen.

In the study by the University of Edinburgh, data transmitted between the Fitbit One and Fitbit Flex devices and cloud servers could be intercepted, giving the researchers access to personal information and the ability to create false activity records.

The researchers also discovered a way of circumventing end-to-end encryption – built-in software designed to prevent outside access to sensitive data – by dismantling the devices and altering data stored on them.

A data security lapse of this kind opens the door to issues like insurance fraud as false activity data sharing with insurance companies could result in cheaper insurance cover.

The reverse situation could also be possible where data is manipulated to deny cover for people in need of insurance.

In the US, such issues would be major obstacles for increasingly popular ‘corporate wellness programmes’ which offer rewards for physical activity.

“If this kind of analysis can be performed now or anytime in the future, it could be used to determine a person has a specific medical condition,” said Dan Lyon, principal consultant at US technology firm Synopsys. “The impact of this to the individual could be raised healthcare premiums or even denied coverage due to preexisting conditions.  And once the data is in the hands of an organisation, it could potentially be sold for other purposes”.

Although the two devices in question are older models and have since had their software patched to fix these issues, the findings of this study are a healthy reminder for Fitbit as it continues to push into the healthcare market.

Its recently released smartwatch, the Fitbit Ionic, collects the most personal data any Fitbit has in the past like blood oxygen levels, making it a more attractive device to hack for anyone willing to do so.

In response to the findings, Fitbit has released the following statement: “As the leading wearables brand, we are committed to protecting consumer privacy and keeping data safe. Based on our collaboration with the researchers, we are in the process of rolling out updates to address the issues raised by their report. We are not aware of any actual compromise of user data from these issues.”

A broader issue

As technologies advance and gather more personal data, data security is a growing issue. As such, companies are attempting to develop means of creating as secure a data storage and sharing method as possible.

IBM is one of these firms which, in partnership with the FDA, is developing a more secure means of sharing patient data using blockchain – a technology widely considered to be the most secure method of data storing and sharing available.

In the UK, Google DeepMind is working with the NHS to develop a platform to help securely track and share patient data.

Each separate part of a patient’s health data is stored in separate ‘blocks’ of a complete whole, to which extra data can only be added and not amended or deleted. Timestamps are also taken whenever the data is accessed along with reasoning as to why it is being accessed in the first place.

Don't miss your daily pharmaphorum news.
SUBSCRIBE free here.