You already knew your smartphone was tracking you, but now it turns out that your location and other data can be tracked from your wearable devices such as fitness trackers or smart watches — even if you don’t connect to the internet directly. A Symantec research paper released Wednesday outlined the privacy dangers that wearables and fitness tracking apps present, arguing that the effort to quantify yourself throws off a lot of highly personal data that can potentially be shared.
The study found that Bluetooth was culpable in sharing location information, much like Wi-Fi shares people’s location information by shouting out the networks it has connected to in the past and allowing a malicious actor (or data collection company) to figure out who a person is based on where they connect. We wrote about the City of London coming down on a maker of a connected trashcan for behaving like this, but in the U.S. regulators have not said a peep.
It also discovered a few other startling statistics outside of the location-tracking. Most of this falls under the category of just basic data leakage and a complete lack of attention to security:
- Symantec found that 20 percent of apps that require user accounts expose login credentials through clear text transmission.
- When it comes to apps, they get around. On average, the self-tracking apps studied contacted five different domains with only a tiny proportion not making any network connections. The largest number of domains contacted by any single app was 14.
The report also notes that many apps unintentionally leak information such as user names, data or photo about the user because of poor design, lax data transmission or storage practices or a lack of security effort altogether. This isn’t just benign information about how many steps you’ve taken. Data about your sleep cycles could offer burglars a good time to break in, while data about your weight might embarrass someone if it leaked on the web.
Symantec conducted the research by building Bluetooth scanning devices using Raspberry Pis and off-the-shelf components from big box stores. These Pis ran open source software and a few custom scripts that Symantec claims someone with basic IT skills could build for less than $75 per scanner. Researchers took these devices to public places and started tracking.
With 69 percent of the U.S. population tracking some aspect of their (or a loved one’s) health and movement and 21 percent of those using some form of technology, the idea that they might be sharing more than they think is worth discussing. Kevin Haley, one of Symantec’s threat intelligence researchers, hopes this report starts that discussion, giving consumers the ability to vote for better-designed apps and devices with their wallets and attention.
Of course for that to happen, we in the media should probably start asking device and app companies about their security and data-sharing policies so they can make smart decisions. In the meantime, Haley recommends you turn Bluetooth and Wi-Fi off on devices when you don’t need it.
Updated: This post was updated at 10:06 am to clarify some of the stats used about how people are tracking their health and what devices they use.