Safety, security and privacy risks of fitness tracking and ‘quantified self’

Symantec is out with a report that raises questions about the safety and security of wearable technology.

In a report, How Safe is Your Quantified Self, Symantec “found security risks in a large number of self-tracking devices and applications,” including the finding that ”all of the wearable activity-tracking devices examined, including those from leading brands, are vulnerable to location tracking.”

report from ABI Research estimates that the wearable computing device market will grow to 485 million annual device shipments by 2018 but lots of people are already wearing fitness trackers from Fitbit, Jawbone, Samsung and others and even more are using smartphone apps that track their movement throughout the day.

Report shows security risk of wearable devices
Report shows security risk of wearable devices

If your device is hacked, said Symantec, the perpetrators could know:

  • The mileage that you are covering
  • When you usually go running
  • Where you usually go running
  • Where you live
  • Your age, sex, height, and weight
  • Your heart rate
  • Your altitude
  • Steps taken
  • Where and when you are on vacation

In the clear

The report also found that 20% of the fitness apps “transmitted passwords in the clear.” A staggering  52 percent of apps examined did not make available privacy policies, according to the report.

The report suggests that “the information could be useful to governments, marketers, businesses, and of course cybercriminals.”

In an interview, Symantec’s Director of Security Response, Orla Cox, said that “some applications were actually communicating with up to 15  different remote locations, including “analytics companies and a variety of different organizations.” She said that “there are companies interested in this data,” and that “attackers are very much driven by money so it’s possible that this data could be taken and sold to third party companies.”

Cox said that securities companies are looking at developing security software for wearable devices. Symantec, like most security companies, already has software for mobile devices which, typically, are used to send the data back to servers, but that software isn’t likely to protect you for data that’s transmitted from the device itself, such as the Bluetooth signal it uses to connect with the phone.

Recommendations

Cox recommends that users of these devices turn off Wi-Fi and Bluetooth if you’re not using them and being “a little bit more wary when you’re installing applications and getting an understanding of what the application is going to do with your data.” She also suggests that device manufactures make it easier for consumers to turn off these signals when they’re not in use.

cb
Listen to Larry’s 1-minute CBS News Tech Talk segment with a sound bite from Symantecs’s Orla Cox

The MoveC300 watch I wear from Lifetrack is able to sync with Android and iOS devices but you have to press a sync button each time you want to transmit data. That not only makes it harder to hack but also preserves battery life, which is one of the reasons the watch can run for up to a year on a coin-sized battery.

LifeTrack Move 300 requires you to press a button each time you sync
LifeTrack Move 300 requires you to press a button each time you sync

 

 

This post first appeared on Forbes.com